(IJCNS) International Journal of Computer and Network Security, 1

Vol. 2, No. 9, September 2010

Shadow Honeypots
Kostas G. Anagnostakis1, Stelios Sidiroglou2, Periklis Akritidis1,3, Michalis Polychronakis4,
Angelos D. Keromytis4, Evangelos P. Markatos5
1
Niometrics R&D, Singapore
kostas@niometrics.com
2
Computer Science and Artificial Intelligence Laboratory, MIT, USA
stelios@csail.mit.edu
3
University of Cambridge, UK
pa280@cl.cam.ac.uk
4
Department of Computer Science, Columbia University, USA
{mikepo, angelos}@cs.columbia.edu
5
Institute of Computer Science, Foundation for Research & Technology – Hellas, Greece
markatos@ics.forth.gr

detected, as shown in Figure 1. Honeypots can be heavily

Abstract: We present Shadow Honeypots, a novel hybrid
architecture that combines the best features of honeypots and
anomaly detection. At a high level, we use a variety of anomaly
detectors to monitor all traffic to a protected network or service.
Traffic that is considered anomalous is processed by a “shadow
honeypot” to determine the accuracy of the anomaly prediction.
The shadow is an instance of the protected software that shares
all internal state with a regular (“production”) instance of the
application, and is instrumented to detect potential attacks.
Attacks against the shadow are caught, and any incurred state
changes are discarded. Legitimate traffic that was misclassified
will be validated by the shadow and will be handled correctly by
the system transparently to the end user. The outcome of
processing a request by the shadow is used to filter future attack
instances and could be used to update the anomaly detector. Our
architecture allows system designers to fine-tune systems for
performance, since false positives will be filtered by the shadow.
We demonstrate the feasibility of our approach in a proof-of-
concept implementation of the Shadow Honeypot architecture
for the Apache web server and the Mozilla Firefox browser. We
show that despite a considerable overhead in the
instrumentation of the shadow honeypot (up to 20% for
Apache), the overall impact on the system is diminished by the
ability to minimize the rate of false-positives.
Keywords: honeypots, anomaly detection
1. Introduction
Due to the increasing level of malicious activity seen on
today’s Internet, organizations are beginning to deploy
mechanisms for detecting and responding to new attacks or
suspicious activity, called Intrusion Prevention Systems
(IPS). Since current IPSes use rule-based intrusion detection
systems (IDS) such as Snort [1] to detect attacks, they are
limited to protecting, for the most part, against already
known attacks. As a result, new detection mechanisms are
being developed for use in more powerful reactive-defense
systems. The two primary such mechanisms are honeypots
[2], [3], [4], [5], [6], [7] and anomaly detection systems
(ADS) [8], [9], [10], [11], [12], [13]. In contrast with IDSes,
honeypots and ADSes offer the possibility of detecting (and
thus responding to) previously unknown attacks, also
referred to as zero-day attacks.
Honeypots and anomaly detection systems offer different
tradeoffs between accuracy and scope of attacks that can be
instrumented to accurately detect attacks, but depend on an
attacker attempting to exploit a vulnerability against them.
This makes them good for detecting scanning worms [14],
[15], [3], but ineffective against manual directed attacks or
topological and hit-list worms [16], [17]. Furthermore,
honeypots can typically only be used for server-type
applications. Anomaly detection systems can theoretically
detect both types of attacks, but are usually much less
accurate. Most such systems offer a tradeoff between false
positive (FP) and false negative (FN) rates. For example, it
is often possible to tune the system to detect more potential
attacks, at an increased risk of misclassifying legitimate
traffic (low FN, high FP); alternatively, it is possible to
make an anomaly detection system more insensitive to
attacks, at the risk of missing some real attacks (high FN,
low FP). Because an ADS-based IPS can adversely affect
legitimate traffic (e.g., drop a legitimate request), system
designers often tune the system for low false positive rates,
potentially misclassifying attacks as legitimate traffic.
We propose a novel hybrid approach that combines the
best features of honeypots and anomaly detection, named
Shadow Honeypots. At a high level, we use a variety of
anomaly detectors to monitor all traffic to a protected
network. Traffic that is considered anomalous is processed
by a shadow honeypot. The shadow version is an instance of
the protected application (e.g., a web server or client) that
shares all internal state with a “normal” instance of the
application, but is instrumented to detect potential attacks.
Attacks against the shadow honeypot are caught and any
incurred state changes are discarded. Legitimate traffic that
was misclassified by the anomaly detector will be validated
by the shadow honeypot and will be transparently handled
correctly by the system (i.e., an HTTP request that was
mistakenly flagged as suspicious will be served correctly).
Our approach offers several advantages over stand-alone
ADSes or honeypots:
• First, it allows system designers to tune the anomaly
detection system for low false negative rates, minimizing
the risk of misclassifying a real attack as legitimate
traffic, since any false positives will be weeded out by the
2 (IJCNS) International Journal of Computer and Network Security,
shadow honeypot.
• Second, and in contrast to typical honeypots, our
approach can defend against attacks that are tailored
against a specific site with a particular internal state.
Honeypots may be blind to such attacks, since they are
not typically mirror images of the protected application.
• Third, shadow honeypots can also be instantiated in a
form that is particularly well-suited for protecting
against client-side attacks, such as those directed against
web browsers and P2P file-sharing clients.
• Finally, our system architecture facilitates easy
integration of additional detection mechanisms.
Figure 1. A simple classification of honeypots and anomaly
detection systems, based on attack detection accuracy and
scope of detected attacks. Targeted attacks may use lists of
known (potentially) vulnerable servers, while scan-based
attacks will target any system that is believed to run a
vulnerable service. AD systems can detect both types of
attacks, but with lower accuracy than a specially
instrumented system (honeypot). However, honeypots are
blind to targeted attacks, and may not see a scanning attack
until after it has succeeded against the real server.
We apply the concept of shadow honeypots to a proof-of-
concept implementation tailored against memory violation
attacks. Specifically, we developed a tool that allows for
automatic transformation of existing code into its “shadow
version.” The resulting code allows for traffic handling to
happen through the regular or shadow version of the
application, contingent on input derived from an array of
anomaly detection sensors. When an attack is detected by
the shadow version of the code, state changes effected by the
malicious request are rolled back. Legitimate traffic handled
by the shadow is processed successfully, albeit at higher
latency. Note that the shadow may be an entirely separate
process, possibly running on a different machine (loose
coupling), or it may be a different thread running in the
same address space (tight coupling). These two approaches
reflect different tradeoffs in state-sharing overhead, ease of
deployment, and transparency to the user.
In addition to the server-side scenario, we also investigate
a client-targeting attack-detection scenario, unique to
shadow honeypots, where we apply the detection heuristics
to content retrieved by protected clients and feed any
Vol. 2, No. 9, September 2010
positives to shadow honeypots for further analysis. Unlike
traditional honeypots, which are idle whilst waiting for
active attackers to probe them, this scenario enables the
detection of passive attacks, where the attacker lures a
victim user to download malicious data. We use the recent
libpng vulnerability of Mozilla [18] (which is similar to
the buffer overflow vulnerability in the Internet Explorer’s
JPEG-handling logic) to demonstrate the ability of our
system to protect client-side applications.
Our shadow honeypot prototype consists of several
components. At the front-end of our system, we use a high-
performance intrusion-prevention system based on the Intel
IXP network processor and a set of modified Snort sensors
running on normal PCs. The network processor is used as a
smart load-balancer, distributing the workload to the
sensors. The sensors are responsible for testing the traffic
against a variety of anomaly detection heuristics, and
coordinating with the IXP to tag traffic that needs to be
inspected by shadow honeypots. This design leads to the
scalability needed in high-end environments such as web
server farms, as only a fraction of the servers need to incur
the penalty of providing shadow honeypot functionality.
In our implementation, we have used a variety of anomaly
detection techniques, including Abstract Payload Execution
(APE) [10], the Earlybird algorithm [19], and network-level
emulation [13]. The feasibility of our approach is
demonstrated by examining both false-positive and true
attack scenarios. We show that our system has the capacity
to process all false positives generated by APE and
EarlyBird and successfully detect attacks. Furthermore, it
enhances the robustness of network-level emulation against
advanced evasion attacks. We also show that when the
anomaly detection techniques are tuned to increase detection
accuracy, the resulting additional false positives are still
within the processing budget of our system. More
specifically, our benchmarks show that although
instrumentation is expensive (20-50% overhead), the
shadow version of the Apache Web server can process
around 1300 requests per second, while the shadow version
of the Mozilla Firefox client can process between 1 and 4
requests per second. At the same time, the front-end and
anomaly detection algorithms can process a fully-loaded
Gbit/s link, producing 0:3 to 0:5 false positives per minute
when tuned for high sensitivity, which is well within the
processing budget of our shadow honeypot implementation.
The remainder of this paper is organized as follows.
Section 2 discusses the shadow honeypot architecture in
greater detail. We describe our implementation in Section 3,
and our experimental and performance results in Section 4.
Some of the limitations of our approach are briefly discussed
in Section 5. We give an overview of related work in Section
6, and conclude the paper with a summary of our work and
plans for future work in Section 7.
2. Architecture
The Shadow Honeypot architecture is a systems approach to
handling network-based attacks, combining filtering,
 (IJCNS) International Journal of Computer and Network Security, 3
Vol. 2, No. 9, September 2010

anomaly detection systems, and honeypots in a way that
exploits the best features of these mechanisms, while
shielding their limitations. We focus on transactional
applications, i.e., those that handle a series of discrete
requests. Our architecture is not limited to server
applications, but can be used for clientside applications such
as web browsers and P2P clients. As shown in Figure 2, the
architecture is composed of three main components: a
filtering engine, an array of anomaly detection
expensive instrumentation to detect attacks. The shadow and
the regular application fully share state to avoid attacks that
exploit differences between the two; we assume that an
attacker can only interact with the application through the
filtering and AD stages, i.e., there are no side-channels. The
level of instrumentation used in the shadow depends on the
amount of latency we are willing to impose on suspicious
traffic (whether truly malicious or misclassified legitimate
traffic). In our implementation, described in Section 3, we
focus on memory-violation attacks, but any attack that can
be determined algorithmically can be

Figure 2. Shadow Honeypot architecture.

sensors, and the shadow honeypot, which validates the

predictions of the anomaly detectors. The processing logic of
the system is shown in Figure 3.
The filtering component blocks known attacks. Such Figure 3. System workflow.
filtering is done based either on payload content [20], [21]
or on the source of the attack, if it can be identified with
detected and recovered from, at the cost of increased
reasonable confidence (e.g., confirmed traffic bi-
complexity and potentially higher latency.
directionality). Effectively, the filtering component short-
If the shadow detects an actual attack, we notify the
circuits the detection heuristics or shadow testing results by
filtering component to block further attacks. If no attack is
immediately dropping specific types of requests before any
detected, we update the prediction models used by the
further processing is done.
anomaly detectors. Thus, our system could in fact self-train
Traffic passing the first stage is processed by one or more
and fine-tune itself using verifiably bad traffic and known
anomaly detectors. There are several types of anomaly
mis-predictions, but this aspect of the approach is outside
detectors that may be used in our system, including payload
the scope of this paper.
analysis [9], [19], [22], [10], [13] and network behavior
As we mentioned above, shadow honeypots can be
[23], [24]. Although we do not impose any particular
integrated with servers as well as clients. In this paper, we
requirements on the AD component of our system, it is
consider tight coupling with both server and client
preferable to tune such detectors towards high sensitivity (at
applications, where the shadow resides in the same address
the cost of increased false positives). The anomaly detectors,
space as the protected application.
in turn, signal to the protected application whether a request
is potentially dangerous.
• Tightly coupled with server. This is the most practical
Depending on this prediction by the anomaly detectors,
scenario, in which we protect a server by diverting
the system invokes either the regular instance of the
suspicious requests to its shadow. The application and
application or its shadow. The shadow is an instrumented
the honeypot are tightly coupled, mirroring functionality
instance of the application that can detect specific types of
and state. We have implemented this configuration with
failures and rollback any state changes to a known (or
the Apache web server, described in Section 3.
presumed) good state, e.g., before the malicious request was
• Tightly coupled with client. Unlike traditional
processed. Because the shadow is (or should be) invoked
honeypots, which remain idle while waiting for active
relatively infrequently, we can employ computationally
attacks, this scenario targets passive attacks, where the
 4 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

attacker lures a victim user to download data containing under the 1 Gbit/s mark [27], [28].
an attack, as with the recent buffer overflow vulnerability Faced with these limitations, we considered a distributed
in Internet Explorer’s JPEG handling [25]. In this design, similar in principle to [29], [30]: we use a network
scenario, the context of an attack is an important processor (NP) as a scalable, custom load balancer, and
consideration in replaying the attack in the shadow. It implement all detection heuristics on an array of (modified)
may range from data contained in a single packet to an Snort sensors running on standard PCs that are connected to
entire flow, or even set of flows. Alternatively, it may be the network processor board. We chose not to implement
defined at the application layer. For our testing scenario any of the detection heuristics on the NP for two reasons.
using HTTP, the request/response pair is a convenient First, currently available NPs are designed primarily for
context. simple forwarding and lack the processing capacity required
for speeds in excess of 1 Gbit/s. Second, they remain harder
Tight coupling assumes that the application can be to program and debug than standard general purpose
modified. The advantage of this configuration is that attacks processors. For our implementation, we used the IXP1200
that exploit differences in the state of the shadow vs. the network processor. A high-level view of our implementation
application itself become impossible. However, it is also is shown in Figure 4.
possible to deploy shadow honeypots in a loosely coupled
configuration, where the shadow resides on a different
system and does not share state with the protected
application. The advantage of this configuration is that
management of the shadows can be “outsourced” to a third
entity.
Note that the filtering and anomaly detection components
can also be tightly coupled with the protected application, or
may be centralized at a natural aggregation point in the
network topology (e.g., at the firewall).
Finally, it is worth considering how our system would
behave against different types of attacks. For most attacks
we have seen thus far, once the AD component has
identified an anomaly and the shadow has validated it, the
filtering component will block all future instances of it from
Figure 4. High-level diagram of prototype shadow
getting to the application. However, we cannot depend on
honeypot implementation.
the filtering component to prevent polymorphic or
metamorphic [26] attacks. For low-volume events, the cost
A primary function of the anomaly detection sensor is the
of invoking the shadow for each attack may be acceptable.
ability to divert potentially malicious requests to the shadow
For high-volume events, such as a Slammer-like outbreak,
honeypot. For web servers in particular, a reasonable
the system will detect a large number of correct AD
definition of the attack context is the HTTP request. For this
predictions (verified by the shadow) in a short period of
purpose, the sensor must construct a request, run the
time; should a configurable threshold be exceeded, the
detection heuristics, and forward the request depending on
system can enable filtering at the second stage, based on the
the outcome. This processing must be performed at the
unverified verdict of the anomaly detectors. Although this
HTTP level thus an HTTP proxy-like function is needed. We
will cause some legitimate requests to be dropped, this could
implemented the anomaly detection sensors for the tightly-
be acceptable for the duration of the incident. Once the
coupled shadow server case by augmenting an HTTP proxy
number of (perceived) attacks seen by the ADS drop beyond
with ability to apply the APE detection heuristic on
a threshold, the system can revert to normal operation.
incoming requests and route them according to its outcome.
For the shadow client scenario, we use an alternative
3. Implementation solution based on passive monitoring. Employing the proxy
approach in this situation would be prohibitively expensive,
3.3 Filtering and Anomaly Detection
in terms of latency, since we only require detection
During the composition of our system, we were faced with capabilities. For this scenario, we reconstruct the TCP
numerous design issues with respect to performance and streams of HTTP connections and decode the HTTP protocol
extensibility. When considering the deployment of the to extract suspicious objects.
shadow honeypot architecture in a high-performance As part of our proof-of-concept implementation we have
environment, such as a Web server farm, where speeds of at used three anomaly detection heuristics: payload sifting,
least 1 Gbit/s are common and we cannot afford to abstract payload execution, and network-level emulation.
misclassify traffic, the choice for off-the-shelf components Payload sifting as developed in [19] derives fingerprints of
becomes very limited. To the best of our knowledge, current rapidly spreading worms by identifying popular substrings
solutions, both standalone PCs and network-processor-based in network traffic. It is a prime example of an anomaly
network intrusion detection systems (NIDSes), are well
 (IJCNS) International Journal of Computer and Network Security, 5
Vol. 2, No. 9, September 2010

detection based system that is able to detect novel attacks at

the expense of false positives. However, if used in isolation
(e.g., outside our shadow honeypot environment) by the time
it has reliably detected a worm epidemic, it is very likely
that many systems would have already been compromised.
This may reduce its usage potential in the tightly-coupled
server protection scenario without external help.
Nevertheless, if fingerprints generated by a distributed
payload sifting system are disseminated to interested parties
that run shadow honeypots locally, matching traffic against
such fingerprints can be of use as a detection heuristic in the
shadow honeypot system. Of further interest is the ability to
use this technique in the loosely-coupled shadow server
scenario, although we do not further consider this scenario
here.
The second heuristic we have implemented is buffer
overflow detection via abstract payload execution (APE), as
proposed in [10]. The heuristic detects buffer overflow Figure 5. Example of pmalloc()-based memory
attacks by searching for sufficiently long sequences of valid
allocation: the trailer and edge regions (above and below the
instructions in network traffic. Long sequences of valid
write-protected pages) indicate “waste” memory. This is
instructions can appear in non-malicious data, and this is
needed to ensure that mprotect() is applied on complete
where the shadow honeypot fits in. Such detection
memory pages.
mechanisms are particularly attractive because they are
applied to individual attacks and will trigger detection upon
encountering the first instance of an attack, unlike many
anomaly detection mechanisms that must witness multiple
attacks before flagging them as anomalous.
Finally, as discussed in Section 3.3, the third heuristic we
use is network-level emulation [13], [31], a detection
method that scans network traffic streams for the presence
of previously unknown polymorphic shellcode. The
approach is based on the execution of all potential malicious
instruction sequences found in the inspected traffic on a
NIDS-embedded CPU emulator. Based on a behavioral
heuristic, the detection algorithm can discriminate between
the execution of benign and malicious code.
3.4 Shadow Honeypot Creation
The creation of a shadow honeypot is based on a code-
transformation tool that takes as input the original
application source code and “weaves” into it the shadow
honeypot code. In this paper, we focus on memory-violation
errors and show source-code transformations that detect
buffer overflows, although other types of failures can be
caught (e.g., input that causes illegal memory dereferences)
with the appropriate instrumentation, but at the cost of Figure 6. Transforming a function to its shadow-
higher complexity and larger performance bottleneck. For supporting version. The shadow_enable() macro
the code transformations we use TXL [32], a hybrid simply checks the status of a shared-memory variable
functional and rule-based language which is well-suited for (controlled by the anomaly detection system) on whether the
performing source-to-source transformation and for rapidly shadow honeypot should be executing instead of the regular
prototyping new languages and language processors. The code.
grammar responsible for parsing the source input is
specified in a notation similar to Extended Backus-Naur The instrumentation itself is conceptually
(BNF). In our prototype, called DYBOC, we use TXL for C- straightforward: we move all static buffers to the heap by
to-C transformations with the GCC C front-end. dynamically allocating the buffer upon entering the function
in which it was previously declared; we de-allocate these
buffers upon exiting the function, whether implicitly (by
reaching the end of the function body) or explicitly (through
6 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

a return statement). We take care to properly handle the allocates a new page (which is given the permissions the
sizeof construct, a fairly straightforward task with TXL. original page had from the backup) for the process to
Pointer aliasing is not a problem, since we instrument the use, in exactly the same way copy-on-write works in
allocated memory regions; any illegal accesses to these will modern operating system. Both copies of the page are
be caught. maintained until transaction() is called again, as
For memory allocation, we use our own version of we describe below. This call to transaction() must
malloc(), called pmalloc(), that allocates two be placed manually by the programmer or system
additional zero-filled, write-protected pages that bracket the designer.
requested buffer, as shown in Figure 5. The guard pages are • Inside the main processing loop, immediately after the
mmap()’ed from /dev/zero as read-only. As mmap() end of handling a request, to indicate to the operating
operates at memory page granularity, every memory request system that a transaction has successfully completed. The
is rounded up to the nearest page. The pointer that is operating system then discards all original copies of
returned by pmalloc() can be adjusted to immediately memory pages that have been modified during
catch any buffer overflow or underflow depending on where processing this request. This call to transaction()
attention is focused. This functionality is similar to that must also be placed manually.
offered by the ElectricFence memory-debugging library, the • Inside the signal handler that is installed automatically
difference being that pmalloc() catches both buffer by our tool, to indicate to the operating system that an
overflow and underflow attacks. Because we mmap() pages exception (attack) has been detected. The operating
from /dev/zero, we do not waste physical memory for system then discards all modified memory pages by
the guards (just page-table entries). Memory is wasted, restoring the original pages.
however, for each allocated buffer, since we allocate to the
next closest page. While this can lead to considerable Although we have not implemented this, a similar
memory waste, we note that this is only incurred when mechanism can be built around the filesystem by using a
executing in shadow mode, and in practice has proven easily private copy of the buffer cache for the process executing in
manageable. shadow mode. The only difficulty arises when the process
Figure 6 shows an example of such a translation. Buffers must itself communicate with another process while
that are already allocated via malloc() are simply servicing a request; unless the second process is also
switched to pmalloc(). This is achieved by examining included in the transaction definition (which may be
declarations in the source and transforming them to pointers impossible, if it is a remote process on another system),
where the size is allocated with a malloc() function call. overall system state may change without the ability to roll it
Furthermore, we adjust the C grammar to free the variables back. For example, this may happen when a web server
before the function returns. After making changes to the communicates with a remote back-end database. Our system
standard ANSI C grammar that allow entries such as does not currently address this, i.e., we assume that any such
malloc() to be inserted between declarations and state changes are benign or irrelevant (e.g., a DNS query).
statements, the transformation step is trivial. For single- Specifically for the case of a back-end database, these
threaded, non-reentrant code, it is possible to only use inherently support the concept of a transaction rollback, so it
pmalloc() once for each previously-static buffer. is possible to undo any changes.
Generally, however, this allocation needs to be done each The signal handler may also notify external logic to
time the function is invoked. indicate that an attack associated with a particular input
Any overflow (or underflow) on a buffer allocated via from a specific source has been detected. The external logic
pmalloc() will cause the process to receive a may then instantiate a filter, either based on the network
Segmentation Violation (SEGV) signal, which is caught by source of the request or the contents of the payload [20].
a signal handler we have added to the source code in 3.5 Using Feedback to Improve Network-level
main(). The signal handler simply notifies the operating Detection
system to abort all state changes made by the process while A significant benefit stemming from the combination of
processing this request. To do this, we added a new system network-level anomaly detection techniques with host-level
call to the operating system, transaction(). This is attack prevention mechanisms is that it allows for increasing
conditionally (as directed by the shadow enable() macro) the detection accuracy of current network-level detectors.
invoked at three locations in the code: This improvement may go beyond simply increasing the
sensitivity of the detector and then mitigating the extra false
• Inside the main processing loop, prior to the beginning positives through the shadow honeypot. In certain cases, it is
of handling of a new request, to indicate to the operating also possible to enhance the robustness of the anomaly
system that a new transaction has begun. The operating detection algorithm itself against evasion attacks. In this
system makes a backup of all memory page permissions, section, we describe how shadow honeypots enhance the
and marks all heap memory pages as read-only. As the detection ability of network-level emulation, one of the
process executes and modifies these pages, the operating detection techniques that we have used in our
system maintains a copy of the original page and implementation.
 (IJCNS) International Journal of Computer and Network Security, 7
Network-level emulation [13], [31] is a passive network
monitoring approach for the detection of previously
unknown polymorphic shellcode. The approach relies on a
NIDSembedded CPU emulator that executes every potential
instruction sequence in the inspected traffic, aiming to
identify the execution behavior of polymorphic shellcode.
The principle behind network-level emulation is that the
machine code interpretation of arbitrary data results to
random code, which, when it is attempted to run on an
actual CPU, usually crashes soon, e.g., due to the execution
of an illegal instruction. In contrast, if some network request
actually contains a polymorphic shellcode, then the
shellcode runs normally, exhibiting a certain detectable
behavior.
Network-level emulation does not rely on any exploit or
vulnerability specific signatures, which allows the detection
of previously unknown attacks. Instead, it uses a generic
heuristic that matches the runtime behavior of polymorphic
shellcode. At the same time, the actual execution of the
attack code on a CPU emulator makes the detector robust to
evasion techniques such as highly obfuscated or self-
modifying code. Furthermore, each input is inspected
autonomously, which makes the approach effective against
targeted attacks, while from our experience so far with real-
world deployments, it has not produced any false positives.
The detector inspects either or both directions of each
network flow, which may contain malicious requests
towards vulnerable services, or malicious content served by
some compromised server towards a vulnerable client. Each
input is mapped to a random memory location in the virtual
address space of the emulator, as shown in Figure 7. Since
the exact position of the shellcode within the input stream is
not known in advance, the emulator repeats the execution
multiple times, starting from each and every position of the
stream. Before the beginning of a new execution, the state of
the CPU is randomized, while any accidental memory
modifications in the addresses where the attack vector has
been mapped to are rolled back after the end of each
execution. The execution of polymorphic shellcode is
identified by two key behavioral characteristics: the
execution of some form of GetPC code, and the occurrence
of several read operations from the memory addresses of the
input stream itself, as illustrated in Figure 7. The GetPC
code is used for finding the absolute address of the injected
code, which is mandatory for subsequently decrypting the
encrypted payload, and involves the execution of some
instruction from the call or fstenv instruction groups.
Figure 7. A typical execution of a polymorphic shellcode
using network-level emulation.
There exist situations in which the execution of benign
Vol. 2, No. 9, September 2010
inputs, which are interpreted by the emulator as random
code, might not stop soon, or even not at all, due to the
accidental formation of loop structures that may execute for
a very large number of iterations. To avoid extensive
performance degradation due to stalling on such seemingly
“endless” loops, if the number of executed instructions for a
given input reaches a certain execution threshold, then the
execution is terminated.
This unavoidable precaution introduces an opportunity for
evasion attacks against the detection algorithm through the
placement of a seemingly endless loop before the decryptor
code. An attacker could construct a decryptor that spends
millions of instructions just for reaching the execution
threshold before revealing any signs of polymorphic
behavior. We cannot simply skip the execution of such
loops, since the loop body may perform a crucial
computation for the subsequent correct execution of the
decoder, e.g., computing the decryption key.
Such “endless” loops are a well-known problem in the
area of dynamic code analysis [33], and we are not aware of
any effective solution so far. However, employing network-
level emulation as a first-stage detector for shadow
honeypots mitigates this problem. Without shadow honeypot
support, the network-level detector does not alert on inputs
that reach the execution threshold without exhibiting signs
of malicious behavior, which can potentially result to false
negatives. In contrast, when coupling network-level
emulation with shadow honeypots, such undecidable inputs
can be treated more conservatively by considering them as
potentially dangerous, and redirecting them to the shadow
version of the protected service. If an undecidable input
indeed corresponds to a code injection attack, then it will be
detected by the shadow honeypot. In Section 4.3 we show,
through analysis of real network traffic, that the number of
such streams that are undecidable in reasonable time (and
thus have to be forwarded to the shadow) is a small,
manageable fraction of the overall traffic.
4. Experimental Evaluation
We have tested our shadow honeypot implementation
against a number of exploits, including a recent Mozilla
PNG bug and several Apache-specific exploits. In this
section, we report on performance benchmarks that illustrate
the efficacy of our implementation.
First, we measure the cost of instantiating and operating
shadow instances of specific services using the Apache web
server and the Mozilla Firefox web browser. Second, we
evaluate the filtering and anomaly detection components,
and determine the throughput of the IXP1200-based load
balancer as well as the cost of running the detection
heuristics. Third, we look at the false positive rates and the
trade-offs associated with detection performance. Based on
these results, we determine how to tune the anomaly
detection heuristics in order to increase detection
performance while not exceeding the budget allotted by the
shadow services.
8 (IJCNS) International Journal of Computer and Network Security,
Figure 8. Apache benchmark results.
4.1 Performance of Shadow Services
Apache: In this experiment, we determine the workload
capacity of the shadow honeypot environment, using
DYBOC on the Apache web server, version 2.0.49. We
chose Apache due to its popularity and source code
availability. Basic Apache functionality was tested, omitting
additional modules. The tests were conducted on a PC with
a 2GHz Intel P4 processor and 1GB of RAM, running
Debian Linux (2.6.5- 1 kernel).
We used ApacheBench [34], a complete benchmarking
and regression testing suite. Examination of application
response is preferable to explicit measurements in the case
of complex systems, as we seek to understand the effect on
overall system performance.
Figure 8 illustrates the requests per second that Apache
can handle. There is a 20.1% overhead for the patched
version of Apache over the original, which is expected since
the majority of the patched buffers belong to utility functions
that are not heavily used. This result is an indication of the
worst-case analysis, since all the protection flags were
enabled; although the performance penalty is high, it is not
outright prohibitive for some applications. For the
instrumentation of a single buffer and a vulnerable function
that is invoked once per HTTP transaction, the overhead is
1.18%.
Of further interest is the increase in memory requirements
for the patched version. A naive implementation of
pmalloc() would require two additional memory pages
for each transformed buffer. Full transformation of Apache
translates into 297 buffers that are allocated with
pmalloc(), adding an overhead of 2.3MB if all of these
buffers are invoked simultaneously during program
execution. When protecting malloc()’ed buffers, the
amount of required memory can skyrocket.
To avoid this overhead, we use an mmap() based
allocator. The two guard pages are mmap()’ed write-
protected from /dev/zero, without requiring additional
physical memory to be allocated. Instead, the overhead of
our mechanism is 2 page-table entries (PTEs) per allocated
buffer, plus one file descriptor (for /dev/zero) per
Vol. 2, No. 9, September 2010
program. As most modern processors use an MMU cache
for frequently used PTEs, and since the guard pages are only
accessed when a fault occurs, we expect their impact on
performance to be small.
Mozilla Firefox: For the evaluation of the client case, we
used the Mozilla Firefox browser. For the initial validation
tests, we back-ported the recently reported libpng
vulnerability [18] that enables arbitrary code execution if
Firefox (or any application using libpng) attempts to
display a specially crafted PNG image. Interestingly, this
example mirrors a recent vulnerability of Internet Explorer,
and JPEG image handling [35], which again enabled
arbitrary code execution when displaying specially crafted
images.
In the tightly-coupled scenario, the protected version of
the application shares the address space with the unmodified
version. This is achieved by transforming the original source
code with our DYBOC tool. Suspicious requests are tagged
by the ADS so that they are processed by the protected
version of the code as discussed in Section 3.2.
For the loosely-coupled case, when the AD component
marks a request for processing on the shadow honeypot, we
launch the instrumented version of Firefox to replay the
request. The browser is configured to use a null X server as
provided by Xvfb. All requests are handled by a transparent
proxy that redirects these requests to an internal Web server.
The Web server then responds with the objects served by the
original server, as captured in the original session. The
workload that the shadow honeypot can process in the case
of Firefox is determined by how many responses per second
a browser can process and how many different browser
versions can be checked.
Our measurements show that a single instance of Firefox
can handle about one request per second with restarting
after processing each response. Doing this only after
detecting a successful attack improves the result to about
four requests per second. By restarting, we avoid the
accumulation of various pop-ups and other side-effects.
Unlike the server scenario, instrumenting the browser does
not seem to have any significant impact on performance. If
that was the case, we could have used the rollback
mechanism discussed previously to reduce the cost of
launching new instances of the browser.
We further evaluate the performance implications of fully
instrumenting a web browser. These observations apply to
both loosely-coupled and tightly-coupled shadow honeypots.
Web browsing performance was measured using a Mozilla
Firefox 1.0 browser to run a benchmark based on the i-
Bench benchmark suite [36]. i-Bench is a comprehensive,
cross-platform benchmark that tests the performance and
capability of Web clients. Specifically, we use a variant of
the benchmark that allows for scrolling of a web page and
uses cookies to store the load times for each page. Scrolling
is performed in order to render the whole page, providing a
pessimistic emulation of a typical attack. The benchmark
consists of a sequence of 10 web pages containing a mix of
text and graphics; the benchmark was ran using both the
scrolling option and the standard page load mechanisms.
 (IJCNS) International Journal of Computer and Network Security, 9
For the standard page load configuration, the performance
degradation for instrumentation was 35%. For the scrolling
configuration, where in addition to the page load time, the
time taken to scroll through the page is recorded, the
overhead was 50%.
Figure 9. Normalized Mozilla Firefox benchmark results
using a modified version of i-Bench.
Figure 10. Popularity of different Mozilla versions, as
measured in the logs of the CIS Department Web server at
the University of Pennsylvania.
The results follow our intuition as more calls to
malloc() are required to fully render the page. Figure 9
illustrates the normalized performance results. It should be
noted that depending on the browser implementation
(whether the entire page is rendered on page load)
mechanisms such at the automatic scrolling need to be
implemented in order to protect against targeted attacks.
Attackers may hide malicious code in unrendered parts of a
page or in javascript code activated by user-guided pointer
movement.
How many different browser versions would have to be
checked by the system? Figure 10 presents some statistics
concerning different versions of Mozilla. The statistics were
collected over a five-week period from the CIS Department
web server at the University of Pennsylvania. As evidenced
by the figure, one can expect to check up to six versions of a
particular client. We expect that this distribution will be
more stabilized around final release versions and expect to
Vol. 2, No. 9, September 2010
minimize the number of different versions that need to be
checked based on their popularity.
4.2 Filtering and Anomaly Detection
IXP1200-based firewall/load-balancer: We first determine
the performance of the IXP1200-based firewall/load
balancer. The IXP1200 evaluation board we use has two
Gigabit Ethernet interfaces and eight Fast Ethernet
interfaces. The Gigabit Ethernet interfaces are used to
connect to the internal and external network and the Fast
Ethernet interfaces to communicate with the sensors. A set
of client workstations is used to generate traffic through the
firewall. The firewall forwards traffic to the sensors for
processing and the sensors determine if the traffic should be
dropped, redirected to the shadow honeypot, or forwarded to
the internal network.
Previous studies [37] have reported forwarding rates of at
least 1600 Mbit/s for the IXP1200, when used as a simple
forwarder/router, which is sufficient to saturate a Gigabit
Ethernet interface. Our measurements show that despite the
added cost of load balancing, filtering, and coordinating
with the sensors, the firewall can still handle the Gigabit
interface at line rate.
Figure 11. Utilization(%) of the IXP1200 Microengines,
for forwarding-only (FWD), load-balancing-only (LB), both
(LB+FWD), and full implementation (FULL), in stress-tests
with 800 Mbit/s worst-case 64-byte-packet traffic.
To gain insight into the actual overhead of our
implementation, we carry out a second experiment using
Intel’s cycle-accurate IXP1200 simulator. We assume a
clock frequency of 232 MHz for the IXP1200, and an IX bus
configured to be 64- bit wide with a clock frequency of 104
MHz. In the simulated environment, we obtain detailed
utilization measurements for the microengines of the
IXP1200. The results are shown in Figure 11. The results
show that even at line rate with worst-case traffic, the
implementation is quite efficient as the microengines
operate at 50.9%-71.5% of their processing capacity.
PC-based sensor performance: In this experiment, we
measure the throughput of the PC-based sensors that
cooperate with the IXP1200 for analyzing traffic and
performing anomaly detection. We use a 2.66 GHz Pentium
IV Xeon processor with hyper-threading disabled. The PC
has 512 Mbytes of DDR DRAM at 266 MHz. The PCI bus is
10 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

64- bit wide clocked at 66 MHz. The host operating system

is Linux (kernel version 2.4.22, Red-Hat 9.0).
We use LAN traces to stress-test a single sensor running a
modified version of Snort that, in addition to basic signature
matching, provides the hooks needed to coordinate with the
IXP1200 as well as the APE and payload sifting heuristics.
We replay the traces from a remote system through the
IXP1200 at different rates to determine the maximum loss-
free rate (MLFR) of the sensor. For the purpose of this
experiment, we connected a sensor to the second Gigabit
Ethernet interface of the IXP1200 board.

Table 1: Sensor throughput for different detection

mechanisms.
Detection Method Throughput/Sensor
Content Matching 225 Mbit/s
APE 190 Mbit/s
Payload Sifting 268 Mbit/s
The measured throughput of the sensor for signature
matching using APE and Earlybird is shown in Table 1. The
throughput per sensor ranges between 190 Mbit/s (APE) and
268 Mbit/s (payload sifting), while standard signature
matching can be performed at 225 Mbit/s. This means that
we need at least 4-5 sensors behind the IXP1200 for each of
these mechanisms. Note, however, that these results are
rather conservative and based on unoptimized code, and
thus only serve the purpose of providing a ballpark figure on
the cost of anomaly detection.
False positive vs. detection rate trade-offs: We determine
the workload that is generated by the AD heuristics, by
measuring the false positive rate. We also consider the
trade-off between false positives and detection rate, to
demonstrate how the AD heuristics could be tuned to
increase detection rate in our shadow honeypot
environment. We use the payload sifting implementation
from [38], and the APE algorithm from [10]. The APE
experiment corresponds to a scenario with a tightly-coupled
shadow server, while the payload sifting experiment
examines a loosely-coupled shadow honeypot scenario that
can be used for worm detection.
We run the modified Snort sensor implementing APE and
payload sifting on packet-level traces captured on an
enterprise LAN with roughly 150 hosts. Furthermore, the
traces contain several instances of the Welchia worm. APE
was applied on the URIs contained in roughly one-billion
HTTP requests gathered by monitoring the same LAN.
Figure 12 demonstrates the effects of varying the distinct
destinations threshold of the content sifting AD on the false
positives (measured in requests to the shadow services per
minute) and the (Welchia worm) detection delay (measured
in ratio of hosts in the monitored LAN infected by the time
of the detection).
Figure 12. False positives for payload sifting.
Increasing the threshold means more attack instances are
required for triggering detection, and therefore increases the
detection delay and reduces the false positives. It is evident
that to achieve a zero false positives rate without shadow
honeypots we must operate the system with parameters that
yield a suboptimal detection delay. The detection rate for
APE is the minimum sled length that it can detect and
depends on the sampling factor and the MEL parameter (the
number of valid instructions that trigger detection). A high
MEL value means less false positives due to random valid
sequences but also makes the heuristic blind to sleds of
smaller lengths.
Figure 13. False positives for APE.
Figure 13 shows the effects of MEL threshold on the false
positives. APE can be used in a tightly coupled scenario,
where the suspect requests are redirected to the
instrumented server instances. The false positives (measured
in requests to the shadow services per minute by each of the
normal services under maximum load) can be handled easily
by a shadow honeypot. APE alone has false positives for the
entire range of acceptable operational parameters; it is the
combination with shadow honeypots that removes the
problem.
4.3 Fine-tuning Network-level Emulation
In this scheme, the redirection criterion is whether a
given input reaches the CPU execution threshold of the
network-level detector. Since most of the time the system
will not be under attack, and thus the inspected inputs will
be benign, an issue that we should take into account is how
 (IJCNS) International Journal of Computer and Network Security, 11
often a benign inspected input may look “suspicious” and
causes a redirection to the shadow honeypot. If the fraction
of such undecidable inputs is large, then the shadow server
may be overloaded with a higher request rate than it can
normally handle. To evaluate this effect, we used full
payload traces of real network traffic captured at ICS-
FORTH and the University of Crete. The set of traces
contains more than 2.5 million user requests to ports 80,
445, and 139, which are related to the most exploited
vulnerabilities.
Figure 14. Percentage of benign network streams
reaching the execution threshold of the network-level
detector.
Figure 14 shows the percentage of streams with at least
one instruction sequence that, when executed on the CPU
emulator of network-level detector, reached the given
execution threshold. As the execution threshold increases,
the number of streams that reach it decreases. This effect
occurs only for low threshold values, due to large code
blocks with no branch instructions that are executed
linearly. For example, the execution of linear code blocks
with more than 256 but less than 512 valid instructions is
terminated before reaching the end when using a threshold
of 256 instructions, but completes correctly with a threshold
of 512 instructions. However, the occurrence probability of
such blocks is reversely proportional to their length, due to
the illegal or privileged instructions that accidentally occur
in random code. Thus, the percentage of streams that reach
the execution threshold stabilizes beyond the value of 2048.
After this value, the execution threshold is reached solely
due to instruction sequences with “endless” loops, which
usually require a prohibitive number of instructions for the
slow CPU emulator in order to complete.
Fortunately, for an execution threshold above 2048
instructions, which allows for accurate polymorphic
shellcode detection with a decent operational throughput
[13], the fraction of streams that reach the execution
threshold is only around 4% for port 445, 2.6% for port 139,
and 0.1% for port 80. Binary traffic (ports 445 and 139) is
clearly more likely to result to an instruction sequence that
reaches the execution threshold in contrast to the mostly
ASCII traffic of port 80. In any case, even in the worst case
of binary-only traffic, the percentage of benign streams that
reach the execution threshold is very small, so the extra
Vol. 2, No. 9, September 2010
overhead incurred to the shadow server is modest.
5. Limitations
There are two limitations of the shadow honeypot design
presented in this paper that we are aware of. The
effectiveness of the rollback mechanism depends on the
proper placement of calls to transaction() for
committing state changes, and the latency of the detector.
The detector used in this paper can instantly detect attempts
to overwrite a buffer, and therefore the system cannot be
corrupted. Other detectors, however, may have higher
latency, and the placement of commit calls is critical to
recovering from the attack. Depending on the detector
latency and how it relates to the cost of implementing
rollback, one may have to consider different approaches.
The trade-offs involved in designing such mechanisms are
thoroughly examined in the fault-tolerance literature (c.f.
[39]).
Furthermore, the loosely coupled client shadow honeypot
is limited to protecting against relatively static attacks. The
honeypot cannot effectively emulate user behavior that may
be involved in triggering the attack, for example, through
DHTML or Javascript. The loosely coupled version is also
weak against attacks that depend on local system state on
the user’s host that is difficult to replicate. This is not a
problem with tightly coupled shadows, because we
accurately mirror the state of the real system. In some cases,
it may be possible to mirror state on loosely coupled
shadows as well, but we have not considered this case in the
experiments presented in this paper.
6. Related Work
Much of the work in automated attack reaction has focused
on the problem of network worms, which has taken truly
epidemic dimensions (pun intended). For example, the
system described in [24] detects worms by monitoring
probes to unassigned IP addresses (“dark space”) or inactive
ports and computing statistics on scan traffic, such as the
number of source/destination addresses and the volume of
the captured traffic. By measuring the increase on the
number of source addresses seen in a unit of time, it is
possible to infer the existence of a new worm when as little
as 4% of the vulnerable machines have been infected. A
similar approach for isolating infected nodes inside an
enterprise network [40] is taken in [23], where it was shown
that as little as four probes may be sufficient in detecting a
new port-scanning worm.
Smirnov and Chiueh [41] describe an approximating
algorithm for quickly detecting scanning activity that can be
efficiently implemented in hardware. Newsome et al. [42]
describe a combination of reverse sequential hypothesis
testing and credit-based connection throttling to quickly
detect and quarantine local infected hosts. These systems are
effective only against scanning worms (not topological, or
“hit-list” worms), and rely on the assumption that most
scans will result in non-connections. As such, they are
susceptible to false positives, either accidentally (e.g., when
12
a host is joining a peer-to-peer network such as Gnutella, or
during a temporary network outage) or on purpose (e.g., a
malicious web page with many links to images in
random/notused IP addresses). Furthermore, it may be
possible for several instances of a worm to collaborate in
providing the illusion of several successful connections, or
to use a list of known repliers to blind the anomaly detector.
Another algorithm for finding fast-spreading worms using
2-level filtering based on sampling from the set of distinct
source-destination pairs is described in [43].
Wu et al. [22] describe an algorithm for correlating
packet payloads from different traffic flows, towards
deriving a worm signature that can then be filtered [44].
The technique is promising, although further improvements
are required to allow it to operate in real time. Earlybird
[19] presents a more practical algorithm for doing payload
sifting, and correlates these with a range of unique sources
generating infections and destinations being targeted.
However, polymorphic and metamorphic worms [26] remain
a challenge; Spinelis [45] shows that it is an NP-hard
problem. Vigna et al. [46] discuss a method for testing
detection signatures against mutations of known
vulnerabilities to determine the quality of the detection
model and mechanism. Polygraph [47] attempts to detect
polymorphic exploits by identifying common invariants
among the various attack instances, such as return
addresses, protocol framing and poor obfuscation.
Toth and Kruegel [10] propose to detect buffer overflow
payloads (including previously unseen ones) by treating
inputs received over the network as code fragments. They
use restricted symbolic execution to show that legitimate
requests will appear to contain relatively short sequences of
valid x86 instruction opcodes, compared to attacks that will
contain long sequences. They integrate this mechanism into
the Apache web server, resulting in a small performance
degradation. STRIDE [48] is a similar system that seeks to
detect polymorphic NOP-sleds in buffer overflow exploits.
[49] describes a hybrid polymorphic-code detection engine
that combines several heuristics, including NOP-sled
detector and abstract payload execution.
HoneyStat [3] runs sacrificial services inside a virtual
machine, and monitors memory, disk, and network events to
detect abnormal behavior. For some classes of attacks (e.g.,
buffer overflows), this can produce highly accurate alerts
with relatively few false positives, and can detect zero-day
worms. Although the system only protects against scanning
worms, “active honeypot” techniques [4] may be used to
make it more difficult for an automated attacker to
differentiate between HoneyStats and real servers. FLIPS
(Feedback Learning IPS) [50] is a similar hybrid approach
that incorporates a supervision framework in the presence of
suspicious traffic. Instruction-set randomization is used to
isolate attack vectors, which are used to train the anomaly
detector. The authors of [51] propose to enhance NIDS
alerts using host-based IDS information. Nemean [52] is an
architecture for generating semantics-aware signatures,
which are signatures aware of protocol semantics (as
opposed to general byte strings). Shield [20] is a mechanism
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
for pushing to workstations vulnerability-specific,
application-aware filters expressed as programs in a simple
language.
The Internet Motion Sensor [7] is a distributed blackhole
monitoring system aimed at measuring, characterizing, and
tracking Internet-based threats, including worms. [53]
explores the various options in locating honeypots and
correlating their findings, and their impact on the speed and
accuracy in detecting worms and other attacks. [54] shows
that a distributed worm monitor can detect non-uniform
scanning worms two to four times as fast as a centralized
telescope [55], and that knowledge of the vulnerability
density of the population can further improve detection time.
However, other recent work has shown that it is relatively
straightforward for attackers to detect the placement of
certain types of sensors [56], [57]. Shadow Honeypots [58]
are one approach to avoiding such mapping by pushing
honeypot-like functionality at the end hosts.
The HACQIT architecture [59], [60], [61], [62] uses
various sensors to detect new types of attacks against secure
servers, access to which is limited to small numbers of users
at a time. Any deviation from expected or known behavior
results in the possibly subverted server to be taken off-line.
A sandboxed instance of the server is used to conduct “clean
room” analysis, comparing the outputs from two different
implementations of the service (in their prototype, the
Microsoft IIS and Apache web servers were used to provide
application diversity). Machine-learning techniques are used
to generalize attack features from observed instances of the
attack. Content-based filtering is then used, either at the
firewall or the end host, to block inputs that may have
resulted in attacks, and the infected servers are restarted.
Due to the feature-generalization approach, trivial variants
of the attack will also be caught by the filter. [8] takes a
roughly similar approach, although filtering is done based
on port numbers, which can affect service availability.
Cisco’s Network-Based Application Recognition (NBAR)
[21] allows routers to block TCP sessions based on the
presence of specific strings in the TCP stream. This feature
was used to block CodeRed probes, without affecting regular
web-server access. Porras et al. [63] argue that hybrid
defenses using complementary techniques (in their case,
connection throttling at the domain gateway and a peer-
based coordination mechanism), can be much more effective
against a wide variety of worms.
DOMINO [64] is an overlay system for cooperative
intrusion detection. The system is organized in two layers,
with a small core of trusted nodes and a larger collection of
nodes connected to the core. The experimental analysis
demonstrates that a coordinated approach has the potential
of providing early warning for large-scale attacks while
reducing potential false alarms. A similar approach using a
DHT-based overlay network to automatically correlate all
relevant information is described in [65]. Malkhi and Reiter
[66] describe an architecture for an early warning system
where the participating nodes/routers propagate alarm
reports towards a centralized site for analysis. The question
of how to respond to alerts is not addressed, and, similar to
 (IJCNS) International Journal of Computer and Network Security, 13
DOMINO, the use of a centralized collection and analysis
facility is weak against worms attacking the early warning
infrastructure.
Suh et al. [67], propose a hardware-based solution that
can be used to thwart control-transfer attacks and restrict
executable instructions by monitoring “tainted” input data.
In order to identify “tainted” data, they rely on the operating
system. If the processor detects the use of this tainted data as
a jump address or an executed instruction, it raises an
exception that can be handled by the operating system. The
authors do not address the issue of recovering program
execution and suggest the immediate termination of the
offending process. DIRA [68] is a technique for automatic
detection, identification and repair of control-hijaking
attacks. This solution is implemented as a GCC compiler
extension that transforms a program’s source code adding
heavy instrumentation so that the resulting program can
perform these tasks. Unfortunately, the performance
implications of the system make it unusable as a front line
defense mechanism. Song and Newsome [69] propose
dynamic taint analysis for automatic detection of overwrite
attacks. Tainted data is monitored throughout the program
execution and modified buffers with tainted information will
result in protection faults. Once an attack has been
identified, signatures are generated using automatic
semantic analysis. The technique is implemented as an
extension to Valgrind and does not require any
modifications to the program’s source code but suffers from
severe performance degradation. One way of minimizing
this penalty is to make the CPU aware of memory tainting
[70]. Crandall et al. report on using a taint-based system for
capturing live attacks in [71].
The Safe Execution Environment (SEE) [72] allows users
to deploy and test untrusted software without fear of
damaging their system. This is done by creating a virtual
environment where the software has read access to the real
data; all writes are local to this virtual environment. The
user can inspect these changes and decide whether to
commit them or not. We envision use of this technique for
unrolling the effects of filesystem changes in our system, as
part of our future work plans. A similar proposal is
presented in [73] for executing untrusted Java applets in a
safe “playground” that is isolated from the user’s
environment.
7. Conclusion
We have described a novel approach to dealing with zeroday
attacks by combining features found today in honeypots and
anomaly detection systems. The main advantage of this
architecture is providing system designers the ability to fine
tune systems with impunity, since any false positives
(legitimate traffic) will be filtered by the underlying
components. We have implemented this approach in an
architecture called Shadow Honeypots. In this approach, we
employ an array of anomaly detectors to monitor and
classify all traffic to a protected network; traffic deemed
anomalous is processed by a shadow honeypot, a protected
Vol. 2, No. 9, September 2010
instrumented instance of the application we are trying to
protect. Attacks against the shadow honeypot are detected
and caught before they infect the state of the protected
application. This enables the system to implement policies
that trade off between performance and risk, retaining the
capability to re-evaluate this trade-off effortlessly.
Our experience so far indicates that despite the
considerable cost of processing suspicious traffic on our
Shadow Honeypots and overhead imposed by
instrumentation, such systems are capable of sustaining the
overall workload of protecting services such as a Web server
farm, as well as vulnerable Web browsers. We have also
demonstrated how the impact on performance can be
minimized by reducing the rate of false positives and tuning
the AD heuristics using a feedback loop with the shadow
honeypot. We believe that shadow honeypots can form the
foundation of a type of application community.
Acknowledgments
This material is based on research sponsored by the Air
Force Research Laboratory under agreement number
FA8750-06-2-0221, and by the National Science Foundation
under NSF Grant CNS-09-14845. Evangelos Markatos is
also with the University of Crete.
References
[1] M. Roesch. Snort: Lightweight intrusion detection for
networks. In Proceedings of USENIX LISA, November
1999. (software available from http://www.snort.org/).
[2] N. Provos. A Virtual Honeypot Framework. In
Proceedings of the 13th USENIX Security Symposium,
pages 1–14, August 2004.
[3] D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J.
Levine, and H. Owen. HoneyStat: Local Worm
Detection Using Honepots. In Proceedings of the 7th
International Symposium on Recent Advances in
Intrusion Detection (RAID), pages 39–58, October
2004.
[4] V. Yegneswaran, P. Barford, and D. Plonka. On the
Design and Use of Internet Sinks for Network Abuse
Monitoring. In Proceedings of the 7th International
Symposium on Recent Advances in Intrusion Detection
(RAID), pages 146–165, October 2004.
[5] L. Spitzner. Honeypots: Tracking Hackers. Addison-
Wesley, 2003.
[6] J. G. Levine, J. B. Grizzard, and H. L. Owen. Using
Honeynets to Protect Large Enterprise Networks. IEEE
Security & Privacy, 2(6):73– 75, Nov./Dec. 2004.
[7] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D.
Watson. The Internet Motion Sensor: A Distributed
Blackhole Monitoring System. In Proceedings of the
12th ISOC Symposium on Network and Distributed
Systems Security (SNDSS), pages 167–179, February
2005.
[8] T. Toth and C. Kruegel. Connection-history Based
Anomaly Detection. In Proceedings of the IEEE
Workshop on Information Assurance and Security,
June 2002.
14 (IJCNS) International Journal of Computer and Network Security,
[9] K. Wang and S. J. Stolfo. Anomalous Payload-based
Network Intrusion Detection. In Proceedings of the 7th
International Symposium on Recent Advanced in
Intrusion Detection (RAID), pages 201–222,
September 2004.
[10] T. Toth and C. Kruegel. Accurate Buffer Overflow
Detection via Abstract Payload Execution. In
Proceedings of the 5th Symposium on Recent
Advances in Intrusion Detection (RAID), October
2002.
[11] M. Bhattacharyya, M. G. Schultz, E. Eskin, S.
Hershkop, and S. J. Stolfo. MET: An Experimental
System for Malicious Email Tracking. In Proceedings
of the New Security Paradigms Workshop (NSPW),
pages 1–12, September 2002.
[12] C. Kruegel and G. Vigna. Anomaly Detection of Web-
based Attacks. In Proceedings of the 10th ACM
Conference on Computer and Communications
Security (CCS), pages 251–261, October 2003.
[13] M. Polychronakis, E. P. Markatos, and K. G.
Anagnostakis. Network-level polymorphic shellcode
detection using emulation. In Proceedings of the Third
Conference on Detection of Intrusions and Malware &
Vulnerability Assessment (DIMVA), pages 54–73, July
2006.
[14] CERT Advisory CA-2001-19: ‘Code Red’ Worm
Exploiting Buffer Overflow in IIS Indexing Service
DLL. http://www.cert.org/advisories/CA-2001-
19.html, July 2001.
[15] Cert Advisory CA-2003-04: MS-SQL Server Worm.
http://www.cert.org/advisories/CA-2003-04.html,
January 2003.
[16] S. Staniford, V. Paxson, and N. Weaver. How to Own
the Internet in Your Spare Time. In Proceedings of the
11th USENIX Security Symposium, pages 149–167,
August 2002.
[17] S. Staniford, D. Moore, V. Paxson, and N. Weaver.
The Top Speed of Flash Worms. In Proceedings of the
ACM Workshop on Rapid Malcode (WORM), pages
33–42, October 2004.
[18] US-CERT Technical Cyber Security Alert TA04-217A:
Multiple Vulnerabilities in libpng. http://www.us-
cert.gov/cas/techalerts/TA04-217A.html, August 2004.
[19] S. Singh, C. Estan, G. Varghese, and S. Savage.
Automated worm fingerprinting. In Proceedings of the
6th Symposium on Operating Systems Design &
Implementation (OSDI), December 2004.
[20] H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier.
Shield: Vulnerability-Driven Network Filters for
Preventing Known Vulnerability Exploits. In
Proceedings of the ACM SIGCOMM Conference,
pages 193–204, August 2004.
[21] Using Network-Based Application Recognition and
Access Control Lists for Blocking the “Code Red”
Worm at Network Ingress Points. Technical report,
Cisco Systems, Inc.
[22] H. Kim and Brad Karp. Autograph: Toward
Automated, Distributed Worm Signature Detection. In
Proceedings of the 13th USENIX Security Symposium,
pages 271–286, August 2004.
Vol. 2, No. 9, September 2010
[23] J. Jung, V. Paxson, A. W. Berger, and H.
Balakrishnan. Fast Portscan Detection Using
Sequential Hypothesis Testing. In Proceedings of the
IEEE Symposium on Security and Privacy, May 2004.
[24] J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective
Architecture and Algorithm for Detecting Worms with
Various Scan Techniques. In Proceedings of the ISOC
Symposium on Network and Distributed System
Security (SNDSS), pages 143–156, February 2004.
[25] Microsoft Security Bulletin MS04-028, September
2004.
http://www.microsoft.com/technet/security/Bulletin/M
S04-028.mspx.
[26] P. Ször and P. Ferrie. Hunting for Metamorphic.
Technical report, Symantec Corporation, June 2003.
[27] C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone,
and A. Thomas. A Hardware Platform for Network
Intrusion Detection and Prevention. In Proceedings of
the 3rd Workshop on Network Processors and
Applications (NP3), February 2004.
[28] L. Schaelicke, T. Slabach, B. Moore, and C. Freeland.
Characterizing the Performance of Network Intrusion
Detection Sensors. In Proceedings of Recent Advances
in Intrusion Detection (RAID), September 2003.
[29] Top Layer Networks. http://www.toplayer.com.
[30] C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer.
Stateful Intrusion Detection for High-Speed Networks.
In Proceedings of the IEEE Symposium on Security
and Privacy, pages 285–294, May 2002.
[31] M. Polychronakis, E. P. Markatos, and K. G.
Anagnostakis. Emulation-based detection of non-self-
contained polymorphic shellcode. In Proceedings of the
10th International Symposium on Recent Advances in
Intrusion Detection (RAID), September 2007.
[32] A. J. Malton. The Denotational Semantics of a
Functional Tree-Manipulation Language. Computer
Languages, 19(3):157–168, 1993.
[33] P. Ször. The Art of Computer Virus Research and
Defense. Addison- Wesley Professional, February
2005.
[34] ApacheBench: A complete benchmarking and
regression testing suite.
http://freshmeat.net/projects/apachebench/, July 2003.
[35] Microsoft Security Bulletin MS04-028: Buffer Overrun
in JPEG Processing Could Allow Code Execution.
http://www.microsoft.com/technet/security/bulletin/MS
04-028.mspx, September 2004.
[36] i-Bench. http://http://www.veritest.com/benchmarks/i-
bench/default.asp.
[37] T. Spalink, S. Karlin, L. Peterson, and Y. Gottlieb.
Building a Robust Software-Based Router Using
Network Processors. In Proceedings of the 18th ACM
Symposium on Operating Systems Principles (SOSP),
pages 216–229, Chateau Lake Louise, Banff, Alberta,
Canada, October 2001.
[38] P. Akritidis, K. Anagnostakis, and E. P. Markatos.
Efficient contentbased fingerprinting of zero-day
worms. In Proceedings of the IEEE International
Conference on Communications (ICC), May 2005.
[39] E. N. Elnozahy, Lorenzo Alvisi, Yi-Min Wang, and
David B. Johnson. A survey of rollback-recovery
 (IJCNS) International Journal of Computer and Network Security, 15
protocols in message-passing systems. ACM Comput.
Surv., 34(3):375–408, 2002.
[40] S. Staniford. Containment of Scanning Worms in
Enterprise Networks. Journal of Computer Security,
2005. (to appear).
[41] N. Weaver, S. Staniford, and V. Paxson. Very Fast
Containment of Scanning Worms. In Proceedings of
the 13th USENIX Security Symposium, pages 29–44,
August 2004.
[42] S. E. Schechter, J. Jung, and A. W. Berger. Fast
Detection of Scanning Worm Infections. In
Proceedings of the 7th International Symposium on
Recent Advances in Intrusion Detection (RAID),
October 2004.
[43] S. Venkataraman, D. Song, P. B. Gibbons, and A.
Blum. New Streaming Algorithms for Fast Detection
of Superspreaders. In Proceedings of the 12th ISOC
Symposium on Network and Distributed Systems
Security (SNDSS), pages 149–166, February 2005.
[44] D. Moore, C. Shannon, G. Voelker, and S. Savage.
Internet Quarantine: Requirements for Containing
Self-Propagating Code. In Proceedings of the IEEE
Infocom Conference, April 2003.
[45] D. Spinellis. Reliable identification of bounded-length
viruses is NP-complete. IEEE Transactions on
Information Theory, 49(1):280– 284, January 2003.
[46] G. Vigna, W. Robertson, and D. Balzarotti. Testing
Network-based Intrusion Detection Signatures Using
Mutant Exploits. In Proceedings of the 11th ACM
Conference on Computer and Communications
Security (CCS), pages 21–30, October 2004.
[47] J. Newsome, B. Karp, and D. Song. Polygraph:
Automatically Generating Signatures for Polymorphic
Worms. In Proceedings of the IEEE Security & Privacy
Symposium, pages 226–241, May 2005.
[48] P. Akritidis, E. P. Markatos, M. Polychronakis, and K.
Anagnostakis. STRIDE: Polymorphic Sled Detection
through Instruction Sequence Analysis. In Proceedings
of the 20th IFIP International Information Security
Conference (IFIP/SEC), June 2005.
[49] U. Payer, P. Teufl, and M. Lamberger. Hybrid Engine
for Polymorphic Shellcode Detection. In Proceedings
of the Conference on Detection of Intrusions and
Malware & Vulnerability Assessment (DIMVA), July
2005.
[50] M. Locasto, K. Wang, A. Keromytis, and S. Stolfo.
FLIPS: Hybrid Adaptive Intrusion Prevention. In
Proceedings of the 8th Symposium on Recent
Advances in Intrusion Detection (RAID), September
2005.
[51] H. Dreger, C. Kreibich, V. Paxson, and R. Sommer.
Enhancing the Accuracy of Network-based Intrusion
Detection with Host-based Context. In Proceedings of
the Conference on Detection of Intrusions and
Malware & Vulnerability Assessment (DIMVA), July
2005.
[52] V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha.
An Architecture for Generating Semantics-Aware
Signatures. In Proceedings of the 14th USENIX
Security Symposium, pages 97–112, August 2005.
Vol. 2, No. 9, September 2010
[53] E. Cook, M. Bailey, Z. M. Mao, and D. McPherson.
Toward Understanding Distributed Blackhole
Placement. In Proceedings of the ACM Workshop on
Rapid Malcode (WORM), pages 54–64, October 2004.
[54] M. A. Rajab, F. Monrose, and A. Terzis. On the
Effectiveness of Distributed Worm Monitoring. In
Proceedings of the 14th USENIX Security Symposium,
pages 225–237, August 2005.
[55] D. Moore, G. Voelker, and S. Savage. Inferring
Internet Denialof- Service Activity. In Proceedings of
the 10th USENIX Security Symposium, pages 9–22,
August 2001.
[56] J. Bethencourt, J. Franklin, and M. Vernon. Mapping
Internet Sensors With Probe Response Attacks. In
Proceedings of the 14th USENIX Security Symposium,
pages 193–208, August 2005.
[57] Y. Shinoda, K. Ikai, and M. Itoh. Vulnerabilities of
Passive Internet Threat Monitors. In Proceedings of the
14th USENIX Security Symposium, pages 209–224,
August 2005.
[58] K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K.
Xinidis, E. P. Markatos, and A. D. Keromytis.
Detecting Targetted Attacks Using Shadow Honeypots.
In Proceedings of the 14th USENIX Security
Symposium, pages 129–144, August 2005.
[59] J. E. Just, L. A. Clough, M. Danforth, K. N. Levitt, R.
Maglich, J. C. Reynolds, and J. Rowe. Learning
Unknown Attacks – A Start. In Proceedings of the 5th
International Symposium on Recent Advances in
Intrusion Detection (RAID), October 2002.
[60] J. C. Reynolds, J. Just, E. Lawson, L. Clough, and R.
Maglich. The Design and Implementation of an
Intrusion Tolerant System. In Proceedings of the
International Conference on Dependable Systems and
Networks (DSN), June 2002.
[61] J.C. Reynolds, J. Just, E. Lawson, L. Clough, and R.
Maglich. Online Intrusion Protection by Detecting
Attacks with Diversity. In Proceedings of the 16th
Annual IFIP 11.3 Working Conference on Data and
Application Security Conference, April 2002.
[62] J. C. Reynolds, J. Just, L. Clough, and R. Maglich. On-
Line Intrusion Detection and Attack Prevention Using
Diversity, Generate-and- Test, and Generalization. In
Proceedings of the 36th Annual Hawaii International
Conference on System Sciences (HICSS), January
2003.
[63] P. Porras, L. Briesemeister, K. Levitt, J. Rowe, and Y.-
C. A. Ting. A Hybrid Quarantine Defense. In
Proceedings of the ACM Workshop on Rapid Malcode
(WORM), pages 73–82, October 2004.
[64] V. Yegneswaran, P. Barford, and S. Jha. Global
Intrusion Detection in the DOMINO Overlay System.
In Proceedings of the ISOC Symposium on Network
and Distributed System Security (SNDSS), February
2004.
[65] M. Cai, K. Hwang, Y-K. Kwok, S. Song, and Y. Chen.
Collaborative Internet Worm Containment. IEEE
Security & Privacy Magazine, 3(3):25–33, May/June
2005.
[66] C. C. Zou, L. Gao, W. Gong, and D. Towsley.
Monitoring and Early Warning for Internet Worms. In
16 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Proceedings of the 10th ACM International Conference

on Computer and Communications Security (CCS),
pages 190–199, October 2003.
[67] G. Edward Suh, Jae W. Lee, David Zhang, and
Srinivas Devadas. Secure program execution via
dynamic information flow tracking. SIGOPS Operating
Systems Review, 38(5):85–96, 2004.
[68] A. Smirnov and T. Chiueh. DIRA: Automatic
Detection, Identification, and Repair of Control-
Hijacking Attacks. In Proceedings of the 12th ISOC
Symposium on Network and Distributed System
Security (SNDSS), February 2005.
[69] J. Newsome and D. Dong. Dynamic Taint Analysis for
Automatic Detection, Analysis, and Signature
Generation of Exploits on Commodity Software. In
Proceedings of the 12th ISOC Symposium on Network
and Distributed System Security (SNDSS), February
2005.
[70] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and C.
Verbowski. Defeating Memory Corruption Attacks via
Pointer Taintedness Detection. In Proceedings of the
International Conference on Dependable Systems and
Networks (DSN), pages 378–387, June 2005.
[71] J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences
Using Minos as a Tool for Capturing and Analyzing
Novel Worms for Unknown Vulnerabilities. In
Proceedings of the Conference on Detection of
Intrusions and Malware & Vulnerability Assessment
(DIMVA), July 2005.
[72] W. Sun, Z. Liang, R. Sekar, and V. N.
Venkatakrishnan. One-way Isolation: An Effective
Approach for Realizing Safe Execution Environments.
In Proceedings of the 12th ISOC Symposium on
Network and Distributed Systems Security (SNDSS),
February 2005.
[73] D. Malkhi and M. K. Reiter. Secure Execution of Java
Applets Using a Remote Playground. IEEE Trans.
Softw. Eng., 26(12):1197– 1209, 2000.
 (IJCNS) International Journal of Computer and Network Security, 17
Vol. 2, No. 9, September 2010

A 1.2V Fourth Order Low Pass Filter for UMTS

Receivers
Sandeep Garg1, D.S. Ajnar2, P.K. Jain3

Electronics & Instrumentation Engg. Department,

Shri G.S.Institute of Technology and Science, Indore, India
1
gargsandeep_2447441@yahoo.co.in, 2 dajnar@sgsits.ac.in, 3 prjain@sgsits.ac.in

Abstract. A low-power analog filter to be used in UMTS and
WLAN applications is reported. The 4th order low-pass
continuous-time filter is going to be included in the receiver
path of a reconfigurable terminal. The filter is made up by the
cascade of two Active-Gm-RC low-pass Biquadratic cells. The
unity-gain bandwidth of the opamps embedded in the Active-
Gm-RC cells is comparable to the filter cut-off frequency. Thus,
the power consumption of the opamp can be strongly reduced.
In addition, the filter can be programmed in order to process
UMTS and WLAN signals. A Fourth order low pass filter with 3
MHz cut-off frequency and a DC gain of 40 dB for UMTS
receiver has been designed in 0.18μ CMOS technology with a
1.2 V supply voltage. The filter has a power dissipation of
122µW. The filter has input referred noise (spot noise) of 13.25
nV @ 2MHz.
linearity. The Active Gm- RC approach for realizing the
filter is therefore proposed here in which both linearity is
high and power consumption is low. Simulations confirm
the excellent properties of the proposed circuit.
In section 2, the active Gm-RC cell is proposed. The filter
consists of opamps and passive elements. The opamp
frequency response is taken into account in the synthesis of
overall transfer function of filter where the opamp frequency
response is fixed and the external components are designed
as a function of opamp frequency response. This makes the
overall transfer function to fully depend on the opamp.
2. Low Pass Filter

Keywords: Analog Filters, CMOS, low voltage, zero IF The filter consists of two Biquad Cells connected in cascade.
Receivers. The figure shows the Biquad cell using Active Gm-RC
technique. It is equivalent to second order Low Pass Filter.
1. Introduction The opamp used in the structure is having a single pole
transfer function given by -

An analog Baseband filter is a three terminal device which

is used in telecommunication systems as a low pass filter. A0
The baseband filter is a channel selection filter used for low- A(s) = (1)
1 + sT
pass filtering the mixer output and it eliminates the need of
IF frequency stages as in the case of superheterodyne
Receivers. Where 1/T and A0 are the first pole angular frequency and
DC gain of opamp respectively.

Figure 1. Block Diagram of Receiver

This low pass filter is to be used in Direct
Conversion Receiver for selecting the desired message Figure 2. Circuit diagram of Active Gm-RC Biquad Cell
signal following RF mixer without any distortion and rejects
the out-of-band signal. So it is also called channel select
filter.
A Fourth order active Gm-RC low pass filter is presented.
Active Gm- RC technique is used because MOSFET-C ones
have high linearity requirement. So the need of opamp
bandwidth much larger than the filter cut-off frequency
leads to high power consumption. As an alternative, Gm-C
filters reduce the power consumption but have lower
18 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

The opamp unity gain frequency is given by –

A0
ωu = (2)
T

The Butterworth transfer function is used for realizing filter

for larger stop band attenuation and in band maximum flat
frequency response.

Figure 3. Block diagram of Low Pass Filter

Figure 4. Schematic of opamp

The Transfer Function for the filter using Butterworth Table 2 :MOSFETS and passive elements device size used
Approximation is as shown below – in opamps
Opamp for Cell 1 Opamp for Cell 2
T(s) = (s2 + 0.7654s + 1)(s2 + 1.8478s + 1) (3) Devices Size Devices Size
M1=M2 9.47μ/0.18μ M1=M2 12.47μ/0.18μ
Table 1: Baseband Filter Requirements M3=M4 9.47μ/0.18 μ M3=M4 12.47μ/0.18 μ
Specifications Value M5=M6 18.94μ/0.18 μ M5=M6 24.94μ/0.18 μ
Order 4th M7=M8 18.94μ/0.18μ M7=M8 24.94μ/0.18μ
Transfer Function Butterworth
M9 0.24μ/0.18μ M9 0.48μ/0.18μ
DC gain 40 dB
Cut-off frequency 2 MHz Rc 680Ω Rc 920Ω
Cc 2.4pF Cc 4.8pF
Cell1 Cell2 IB 20μA IB 20μA
Order 2nd 2nd
Transfer Function Butterworth Butterworth
DC gain 20 dB 20 dB Table 3: Filter passive elements
Cut-off frequency 2MHz 2MHz
Cell 1 Cell 2
Quality Factor 1.3066 0.5412
Specifications Value Value
R1 3.17k 2.8k
R2 31.7k 28k
3. Operational Amplifier Design C 2.6pF 2.9pF

The Operational Amplifier used in Biquad Cell is a

differential input, single ended output Amplifier. It consists Table 4: Characteristics of opamps and cells after
of two stages. simulation
The First stage is a NMOS Differential-input, single-ended Cell 1 Cell 2
output stage with PMOS active load. Specifications Value Value
The second stage is a common – source gain stage that has
Opamp DC gain(A0) 44 dB 48 dB
an active load. Capacitor Cc is included to ensure stability
when opamp is used with feedback. It is a Miller Opamp Cut-off frequency 42kHz 51kHz
capacitance. Opamp Phase Margin 84° 78°
Opamp Slew Rate 2.25V/μs 2.4V/μs
The gain of first stage is given by -
Av1 = gm1 (rds2││ rds4) (4) Opamp Unity gain frequency 2.98MHz 3.02MHz
Opamp CMRR 110 dB 105 dB
The gain of second stage is given by –
Av2 = -gm7 (rds6││ rds7) (5) Biquad Cell Gain 19.22dB 19.41dB
Biquad Cell Cutoff Frequency 2.04MHz 2.02MHz
 (IJCNS) International Journal of Computer and Network Security, 19
Vol. 2, No. 9, September 2010

Table 5: Characteristics of filter after simulation

Specifications Value
Overall Filter Gain 38dB
Cutoff Frequency 2.02MHz

The Simulation results for opamp in cadence 0.18μ UMC

MOS technology are shown below.

Figure 7. Schematic of Overall filter

The simulation results for the Active Gm- RC filter in

0.18μ CMOS technology is as shown-

Figure 5. Frequency Response of opamp for Cell 1

Figure 8. Frequency Response of Cell 1

Figure 6. Frequency Response of opamp for Cell 2

4. Filter Design

The Design Equations for filter are -

(6)

Where G = Gain of filter

ωu = unity gain frequency of opamp
ω0 = cutoff frequency of filter Figure 9. Frequency Response of Cell 2
Q = Quality factor of filter
20 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Fig.13 Output noise

Figure 10. Frequency Response of Overall Filter

Figure 13. Output noise

5. Applications

The Active Gm-RC filter is used in Direct Conversion

Receivers as a Channel select filter or Baseband filter. It
eliminates the need of Intermediate frequency stages as in the
case of Superheterodyne receivers. So that the cost and
performance of circuit is improved.

6. Conclusion

A low voltage fourth order analog baseband filter for UMTS

receivers has been presented. The filter is able to operate at 1.2
V with a 2MHz -3dB Bandwidth. The filter operates with a
good linearity and less noise.

Table 6: Filter Performance Summary

Figure 11. dB Compression point of filter
This Design [1] [3]
DC gain(G) 38 dB 32dB 34dB
f-3dB (Cut-off
2.02MHz 2.11MHZ 2MHz
frequency)
Power
122 μ W 2.8mW 3.4mW
Consumption
VDD 1.2 V 1.8V 2.5V

CMOS(um) 0.18μ 0.18μ 0.5μ

Noise(uVrms 50nV/
13.25nV/ Hz 30nV/ Hz
) Hz

References

[1] S. D’Amico and A. Baschirotto, “Active – Gm - RC

Continuous- Time Biquadratic Cells,” Analog
Integrated Circuits and Signal Processing, Springer
vol. 45, pp.281-294, 2005
[2] Marcello De Matteis, Stefano D’Amico and Andrea
Baschirotto, “A 1.9 V 60 dB-DR Fourth-Order Analog
Baseband Filter,” IEEE Journal of Solid-State Circuits,
vol. 44, no. 9, pp. 2525- 2534, September 2006.
[3] S. Pavan, Y. P. Tsividis, and K. Nagaraj, “Widely
programmable high frequency continuous-time filters in
Figure 12. Layout of opamp used in filter
 (IJCNS) International Journal of Computer and Network Security, 21
Vol. 2, No. 9, September 2010

digital CMOS technology,” IEEE Journal of Solid-

State Circuits, vol. 35,no. 4, pp. 503-511, April 2000.
[4] D.A. Johns and K. Martin, Analog Integrated Circuit
Design. John Wiley and Sons, Inc.1996, pp. 221-251
[5] H. Huang and E. K. F. Lee, “Design of low-voltage
CMOS continuous time filter with on-chip automatic
tuning,” IEEE Journal of Solid-State Circuits, vol. 36,
no. 8, pp. 1168–1177, Aug. 2001.

Authors Profile

Sandeep Garg received the B.E. Degree in

Electronics and Instrumentation Engineering
from D.A.V.V. University, Indore ,India in
2002 and M.Tech. Degree in Microelectronics
and VLSI Design from SGSITS, indore, India
in 2010. His Area of interest is CMOS
analogVLSI Design. He has published three
papers at national level.

D.S.Ajnar received the B.E. degree in

Electronics and Communication Engineering
from D.A.V.V.University, India in 1993 and
M.E. Degree in Digital Techniques &
InstrumentationEngineering from Rajiv Ghandhi
Technical University Bhopal, India in 2000. He
has been teaching and in research profession
since 1995. He is now working as Reader in Department of
Electronics & Instrumentation Engineering
,S.G.S.I.T.S,Indore,India. His interest of research is in Designing
of analog filter and Current-Conveyor.

P.K.Jain received the B.E. degree in

Electronics and communication Engineering
from D.A.V.V. University, India in 1987 and
M.E. Degree in Digital Techniques &
Instrumentation Engineering from Rajiv
Ghandhi Technical University Bhopal, India in
1993. He has been teaching and in research
profession since 1988. He is now working as Reader in
Department of Electronics & Instru. Engineering , S.G.S.I.T.S.
Indore India. His interested field of research is analog cicuit
design.
22 (IJCNS) International Journal of Computer and Network Security,
Evaluating Learning Objects for Students: An
adaptive model
Sonal Chawla and Dr. R.K. Singla
Dept of Computer Science & Appl, Panjab
University, Chandigarh. INDIA
sonal_chawla@yahoo.com
Abstract: The research paper looks at the perception of
students and their readiness for the new approach towards
learning through the Learning Objects. The Learning Objects
for the C++ course were developed as part of this study and then
tested using the LORI scale and the performance of the students
taught using learning objects was compared with the students
learning the same course in the traditional way.Finally the
conclusions are drawn.
Keywords: Learning Objects, LORI Scoresheets, e-learning,
learning evaluation.
1. Introduction
The development of effective content suiting the learning
style of users and the prevailing learning scenarios improves
the success rate of an e-Learning initiative significantly. It
is, therefore, important for content to adhere to the
objectives of the program and be powerful enough to engage
the user. The establishment of means of quality assurance,
requires criteria for evaluation that supports the
communication of meaningful feedback to designers for
content information.
Development of Learning objects that matches intended
outcomes and delivers the requisite cognitive load requires
careful planning and structured development. For that
purpose, Nesbit and Li [10] developed a Learning Object
Review Instrument (LORI 1.5) which can be used to reliably
assess some aspects of Learning Objects. This approach was
adopted in the design of their convergent participation
model for the evaluation of learning objects. Their model
proposed an evaluation panel drawn from different
stakeholder groups and a two-cycle process, whereby
participants would begin by evaluating the learning object
independently and asynchronously. The two-stage cycle was
facilitated by electronic communication tools and used the
Learning Object Review Instrument (LORI) to specify the
rating scale and criteria of evaluation. Subsequent research
on the use of the LORI revealed that objects that were
evaluated collaboratively led to greater inter-rater reliability
as opposed to ones evaluated independently
There have been a limited number of empirical studies
examining the learning outcomes and the instructional
effectiveness of Learning Objects despite the fact that
Learning Object repositories commonly use the review
instruments. A few of the worth mentioning are the study by
Kay and Knaack [3][2] which examines the quality of
Learning Objects through content analysis of open-ended
Vol. 2, No. 9, September 2010
response questions based on principles of instructional
design and perceived benefit under post-hoc structured
categories. They evaluated five learning objects with
secondary school students but this study has the limitation
that it focused only on perceived benefits of Learning
Objects rather than on the actual learning outcomes
resulting from the Learning Object activities.
In another study Akpinar and Simsek [1] tested eight
Learning Objects, with school children in a pre-post test
research design. The data analysis revealed that seven of the
Learning Objects helped the sample students improve their
pretest scores, but in one, the Horizontal Projectile Motion
(HPM) LO for ninth grade students, the scores did not
improve.
On similar design, Nurmi and Jaakkola [4] conducted an
experimental study using a pre-test post-test design to
evaluate the effectiveness of three Learning Objects from
three different subject areas, i.e. Mathematics, Finnish
Language and Science. The Learning Objects, tested with
school children, were used in different instructional settings.
The results revealed that no significant differences were
observed between the Learning Object and the traditional
teaching conditions with low and high prior knowledge
students.
This study, thus, developed ten Learning Objects for the
C++ course using the Authoring Software ‘Xerte’ [9] and
‘Moodle’ and then tested them by conducting two studies.
The details of Learning Object development have been
deliberately kept out of this research paper since its major
focus is on evaluation of developed Learning Objects.
2. Study 1: To evaluate the Quality of Learning
Objects using the LORI score sheets.
2.1 Aim of the Study
To evaluate the quality of developed Learning Objects the
students were asked to rate and review the Learning objects
individually using the LORI score sheets (Sample sheet
variables discussed below). Following the reviewing and the
rating process, the researcher combined the ratings and
estimated average rating for each Learning Object. Average
ratings were estimated both for each of nine issues for a
particular Learning Object and for the overall rating of that
Learning Object.
 (IJCNS) International Journal of Computer and Network Security, 23
Vol. 2, No. 9, September 2010

2.2 Methodology Interaction Usability (V6): refers to ease of

navigation, predictability of the user interface and
The evaluation of Learning Objects for their quality was
quality of the interface help features.
based on the LORI (Learning Object Review Instrument)
scale [10]. Dimensions for evaluating learning object quality
in LORI 1.5 have been listed below:-
Content Quality (V1): refers to Veracity, accuracy,
Accessibility (V7): refers to Design of controls and
balanced presentation of ideas, and appropriate level of
presentation formats to accommodate disabled and
detail included in Learning Objects.
mobile learners
Learning Goal Alignment (V2): refers to Alignment
Reusability (V8): refers to the ability to use in varying
among learning goals, activities, assessments, and
learning contexts and with learners from differing
learner characteristics.
backgrounds.
Feedback and Adaptation (V3): refers to Adaptive
Standards Compliance (V9): refers to the adherence to
content or feedback driven by differential learner input
international standards and specifications.
or learner modeling.
Motivation (V4): refers to the ability to motivate and
interest an identified population of learners.
Presentation Design (V5): refers to the design of visual
and auditory information for enhanced learning and
efficient mental processing.

2.3 Observation

Table 1: Correlation Matrix between variables

Correlations

V1 V2 V3 V4 V5 V6 V7 V8 V9

Pearson -
1 .498(**) -.072 -.330 .152 -.218 -.194 .412(*)
Correlation .478(**)
V1
Sig. (2-tailed) .002 .682 .004 .053 .383 .208 .263 .014
N 35 35 35 35 35 35 35 35 35
Pearson - - .464(**
.498(**) 1 .172 .080 -.196 -.099
Correlation .547(**) .734(**) )
V2
Sig. (2-tailed) .002 .324 .647 .001 .259 .000 .571 .005
N 35 35 35 35 35 35 35 35 35
Pearson -
-.072 .172 1 .709(**) .150 .056 -.119 .268
Correlation .511(**)
V3
Sig. (2-tailed) .682 .324 .000 .389 .751 .002 .494 .119
N 35 35 35 35 35 35 35 35 35
Pearson -
.080 .709(**) 1 .206 -.031 -.293 .099 .157
Correlation .478(**)
V4
Sig. (2-tailed) .004 .647 .000 .234 .860 .087 .570 .369
N 35 35 35 35 35 35 35 35 35
Pearson -
-.330 .150 .206 1 .181 .210 -.237 -.361(*)
Correlation .547(**)
V5
Sig. (2-tailed) .053 .001 .389 .234 .298 .226 .170 .033
N 35 35 35 35 35 35 35 35 35
Pearson -
.152 -.196 .056 -.031 .181 1 .459(**) .084
V6 Correlation .484(**)
Sig. (2-tailed) .383 .259 .751 .860 .298 .006 .003 .631
24 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

N 35 35 35 35 35 35 35 35 35
Pearson - -
-.218 -.293 .210 .459(**) 1 .201 -.343(*)
Correlation .734(**) .511(**)
V7
Sig. (2-tailed) .208 .000 .002 .087 .226 .006 .247 .043
N 35 35 35 35 35 35 35 35 35
Pearson -
-.194 -.099 -.119 .099 -.237 .201 1 -.211
Correlation .484(**)
V8
Sig. (2-tailed) .263 .571 .494 .570 .170 .003 .247 .224
N 35 35 35 35 35 35 35 35 35
Pearson
.412(*) .464(**) .268 .157 -.361(*) .084 -.343(*) -.211 1
Correlation
V9
Sig. (2-tailed) .014 .005 .119 .369 .033 .631 .043 .224
N 35 35 35 35 35 35 35 35 35
** Correlation is significant at the 0.01 level (2-tailed). * Correlation is significant at the 0.05 level (2-tailed).

2.4 Analysis and Discussion 3. Study 2: To compare the performance of

Table 7 is a 9 X 9 symmetric correlation table. Correlation
between all the 9 variables of the LORI chart taken as V1 to
V9 respectively has been shown here. ** marked values
show the Correlation between two variables is significant at
the level of 1% and * indicates the level of significance at
5%. The Correlation table shows that there is a significant
positive correlation between V1 and V2 (r= .498, p<.002)
and V1 and V9 (r=.412, p<.014) however, there is a
negative correlation between V1 and V4 (r=-.478, p<.004).
However, the correlation of V1 with other variables was
found to be non-significant. Similarly, there is a significant
positive correlation between V2 and V9 (r=.464, p<.005)
and negative co-relation between V2 and V5 (r=-
.547,p<.001) and the correlation of the rest of the variables
with V2 are non-significant. A positive correlation exists
between V3 and V4 (r=.709, p<.0001), V6 and V7
(r=.459,p<.006) and a negative correlation between V3 and
V7(r=-.511,p<.002) and V6 and V8 (r= -.484,p< .003). So
the Null hypothesis that there is no correlation between two
variables is rejected wherever the correlation coefficient is
significant.
The above table also suggests that content quality has
positive correlation with learning goal alignment and
motivation which clearly suggests that when the content
quality is enhanced the students are better aligned to their
learning goals and their motivation enhances. The positive
correlation has also been observed between other variables
like Feedback adaptation and Motivation and Interaction
Usability and Accessibility as shown in the table 7. This
indicates that better the design features, better is the
usability and accessibility i.e. they are directly proportional
to one another. So wherever the correlation is significant,
the Null hypothesis that the correlation between the two
variables of LORI sheets is zero, is rejected.
students when taught C++ under traditional,
teacher led instruction mode with the
performance when taught C++ using Learning
Object Approach.
3.1 Aim of the study
The aim of this study is to gain empirical evidence on the
educational effectiveness and usefulness of Learning Objects
in various instructional settings. In this study the
effectiveness of Learning Object learning environment is
compared with traditional classroom teaching environment
in delivering course on C++. So this study becomes an
exploratory study that consists of comparing performance of
two groups of students studying Programming in C++
under two different conditions
• Using traditional teacher led approach
• Using Learning Objects
3.2 Methodology followed
The study was based on pre-test-post-test design in which
the educational effectiveness of Learning conditions
(Learning Object versus traditional instruction) is measured
in terms of gains in subject knowledge. In addition to
statistical analysis of test score data, more descriptive and
qualitative observational analysis were made. The results of
this study were compared and some conclusions were
drawn.
The study consisted of two hours of concrete working and
administration of various tests. Before the actual working
phase (treatment phase), students completed a pre-test to
gain insight into their background about the programming
language C++.
 (IJCNS) International Journal of Computer and Network Security, 25
Vol. 2, No. 9, September 2010

time to explore the topic. At the end of the course both the
Over a period of a semester the students were taught the groups were tested.
course in different modes. The total group size was 35
where 18 students were imparted training using Learning
Object approach and the rest 17 using traditional mode.
Ahead of this group formation the students with no 3.6 Hypothesis
programming experience and previous programming
experience were identified and then the groups were formed Traditional Approach
with both types randomly distributed within the two groups. 1) HO = The teaching using traditional method is not
effective.
3.3 Structure of Teaching Session 2) H1 = The teaching using traditional method is
effective
Each group was given an hour’s session with the following Learning Object Approach
structure 1) HO = The teaching using Learning Object method is
1. A lecture about the C++ topic. not effective.
2. Individual study and use of corresponding learning 2) H1 = The teaching using Learning Object method
materials is effective
3. Solution of a test
Where HO is the Null Hypothesis which is an important
In order to have a controlled teaching style variable the technique used by the researchers in the field of education.
same teacher conducted both the sessions. In the LO A Null hypothesis is useful in testing the significance of
condition (n=18) the students were given introduction on difference.
the subject content to the students first and for the rest of the
sessions the students completed LO assignments 3.7 Analysis and Observations
individually at their own pace. The Learning Objects were
principally quite simple drill-and-practice programs which In order to note and compare the behavioral patterns of the
were designed to be game-like and to provide instant students studying the same course in different modes, the
feedback for students’ input/answers. The way of working teacher conducting the test provided the qualitative data to
was student-led because there was no direct teaching nor the analysis. They asserted the following observations that
teacher controlled tasks during the assignment phase. The during the course of evaluation it was found that the
students were briefed that in order to be successful in this participants of the learning object group were nervous,
approach they required a higher level of self-regulation and stressed and anxious. They took more time to complete the
meta cognitive skills like self-monitoring, controlling, test whereas the traditional group was more at ease, relaxed
maintenance of task orientation etc. than working in the and less stressed. The data obtained for both groups has
traditional condition. been summarized as below:-
The students (n=17) in the traditional mode were taught in
the normal classroom. The teaching method resembled Table 2: Pre-test Post-test analysis of Traditional and LO
normal instruction with a teacher-led introduction followed group
by an assignment phase when students individually Group N Mean Std. Paired p-
completed different paper-and-pencil tasks. These tasks
were similar to the assignments completed in the LO mode. Deviatio t-test value
n
3.4 Description of the Test
Traditiona
The students were evaluated on the basis of a written exam. 17 2.29 2.51 .483 >.05
l Pre-test
The test consisted of two exercises : one to demonstrate
theoretical knowledge of the students and second to judge
their practical programming abilities. The complete test 17 3.11 2.12
Post-test
summed up to a total maximum score of 10 points. The test
was conducted for the one hour duration. LO
Pre-test 18 3.00 2.26 .388 >.05
3.5 Teaching Methodology:
18 3.61 2.10
The traditional group was imparted training using lecture
Post-test
delivery and instructional material containing theory and
examples. Later they were given free time to explore, study
and experiment with the topics covered in the class. The results clearly indicate that the mean of the Learning
However, the lectures were delivered to the Learning Object Object group was slightly superior to the traditional group.
group by using the Learning Objects designed by the They performed better for both the tests given to them as
researcher as part of this study. They too were given free part of the evaluation. In the pre-test the traditional group
(mean=2.29), though, did not perform better than the LO
26 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

group(mean=3.00). However, the performance of the Technology and Distance Learning, 4(3), pp 31-44,
Learning Object group (mean=3.61) was better than the 2007
traditional group(mean=3.11). When a paired t-test was [2] R. Kay & L. Knaack, “Developing learning
applied on the groups to pre and post observations, the t test objects for secondary school students: A
results were non-significant in each case. (Pre-test =.483, multicomponent model”. Interdisciplinary Journal of
Post test =.388). The paired t-test, thus, showed no Knowledge and Learning Objects,1, pp 229-254 , 2005
statistically significant difference between the [3] R. Kay & L. Knaack, “Evaluating the learning in
condition(p>.05). The Null Hypothesis, therefore, learning objects”. Open Learning: The Journal of Open
has to be accepted that there is no significant difference and Distance Learning, 22(1), pp 5–28, 2007.
between the performance of students in both/each modes. [4] S. Nurmi & T. Jaakkola, “Problems underlying the
According to the preliminary analysis , the observation learning object approach”. International Journal of
revealed that in the LO condition students worked mainly on Instructional Technology and Distance Learning,
the perception that they had two different assignments: learn 2(11), pp 61–66, 2005.
to use the Learning Objects and complete the test. They [5] K.Salas & L. Ellis, “The development and
seemed to focus on the procedural features and concrete implementation of learning objects in a higher
functions rather than on content or instructional aspects. education setting”. Interdisciplinary Journal of
They were more interested in solving the logic behind the Knowledge and Learning Objects, 2, pp 1-22, 2006.
Learning Objects i.e. how they worked. Although student’s [6] Felix g,Hamza-Lup, Razvan Stefan Bot, Ioan Salomie.
task orientation remained well during the sessions while “Virtual University of Cluj-Napoca, A Web based
they were actively accomplishing LO assignments, the depth Educational Framework”. [Accessed: Aug 20, 2010]
of orientation was not much. The working with LO did not [7] T. Cochrane, “Interactive QuickTime: Developing
engage students with thinking about the content being and evaluating multimedia learning objects to enhance
learnt. Instead, the work in the traditional condition was both face-to-face and distance e-learning
much more focused on the learning tasks. This could be due environments”. Interdisciplinary Journal of Knowledge
to a larger amount of external control imposed by the and Learning Objects. 2005
teacher. It can, therefore, be concluded that though the [8] D.A. Wiley, “Connecting learning objects to
requirements of self-regulation in the LO condition were instructional design theory: A definition, a metaphor,
overwhelming at the same time they were detrimental to and a taxonomy. In D. A.Wiley (Ed.), The instructional
their learning outcomes. use
of learning objects”: Online version. [Accessed: Aug
It can also be conveniently assumed that the sole use of 20,
Learning Object in lecture impartation and course delivery 2010]
cannot bring a significant difference in the performance of [9] www.nottingham.ac.uk/xerte/.
students. There are other important contextual factors that [Accessed: Aug 20, 2010]
may yet have to be identified to improve academic [10] J.C. Nesbit & J.Li, “ Web-based tools for learning
achievement. Besides, a more prolonged exposure to LO has object evaluation”. Proceedings of the
to be explored and measured under carefully controlled International Conference on Education and
conditions. Also it is imperative to think if the learning Information Systems: Technologies and Applications,
orientation in the LO condition of the students is mere Orlando, Florida, USA, 2, pp 334-339, 2004.
curiosity to a new style of learning for students or the LO
design then supporting pedagogy needs to be modified.
Therefore, when examining the effectiveness of Learning
Objects on student learning outcomes, it is essential to note
that it is the effect of the whole learning environment and
not just of that of Leaning Objects. As it is impossible to
separate learning activities, learned contents and learning
situations from each other, it is also not feasible to detach
the educational technology applications used from the social
and contextual factors of the learning processes. Thus, it is
the Learning Objects and the instructional arrangements
within learning environments that interact together to
stimulate certain student learning activities, behaviours and
outcomes. Learning Object represent only one part of the
larger learning environment and not as self-contained
instructional solution.

References

[1] Y. Akpinar & H. Simsek, “Should K-12 teachers

develop learning objects? Evidence from the field with
K-12 students”. International Journal of Instructional
 (IJCNS) International Journal of Computer and Network Security, 27
Vol. 2, No. 9, September 2010

A Mechanism for detecting Wormhole Attacks on

Wireless Ad Hoc Network
Ajit Singh1, Kunwar Singh Vaisla2
1
Department of CSE, VCT Kumaon Engineering College
Dwarahat, District – Almora (Uttarakhand), India
erajit@rediffmail.com
1
Department of CSE, VCT Kumaon Engineering College
Dwarahat, District – Almora (Uttarakhand), India
vaislaks@rediffmail.com

Abstract: A wireless ad hoc network is an autonomous system
of mobile hosts connected by wireless links. The nodes are free
to move randomly and organize themselves arbitrarily; thus
network’s topology may change rapidly and unpredictably.
Unlike traditional wireless network, ad hoc network do not rely
on any fixed infrastructure. Instead, hosts rely on each other to
keep the network connected. One main challenge in the design
of these networks is their vulnerability to security attacks. Ad
hoc networks are vulnerable due to their fundamental
characteristics, such as open medium, dynamic topology,
distributed cooperation and constraint capability. Routing plays
an important role in security of ad-hoc network. In Ad hoc
network, there are mainly two kinds of routing protocols:
proactive routing protocol and on demand routing protocol. In
general, routing security in wireless ad hoc network appears to
be a problem that is not trivial to solve.
In this paper, we introduce the wormhole attack, a severe attack
in ad hoc networks that is particularly challenging to defend
against. The wormhole attack is possible even if the attacker has
not compromised any hosts and even if all communication
provides authenticity and confidentiality. In the wormhole
attack, an attacker receives packets at one point in the network,
“tunnels” them to another point in the network, and then
replays them into the network from that point. The wormhole
attack can form a serious threat in wireless networks, especially
against many ad hoc network routing protocols and location-
based wireless security systems. For example, most existing ad
hoc network routing protocols, without some mechanism to
defend against the wormhole attack, would be unable to find
routes longer than one or two hops, severely disrupting
communication. We present a technique to identify wormhole
attacks in wireless ad hoc network and a solution to discover a
safe route avoiding wormhole attack. It is time based calculation
which requires minimal calculation.
Keywords: Ad hoc Networks, Wormholes.
1. Introduction
Ad hoc networks consist of wireless nodes that communicate
with each other in the absence of a fixed infrastructure.
These networks are envisioned to have dynamic, sometimes
rapidly changing, random, multi-hop topologies, which are
likely composed of relatively bandwidth-constrained
wireless links. In such a network, each mobile node operates
not only as a host but also as a router, forwarding packets
for other mobile nodes in the network that may not be
within direct wireless transmission range of each other.
Each node participates in an ad hoc routing protocol that
allows it to discover “multi-hop” paths through the network
to any other node. The idea of ad hoc networking is
sometimes also referred to as “infrastructure less
networking”, since the mobile nodes in the network
dynamically establish routing among themselves to form
their own network on the fly. Due to the limited
transmission range of wireless networks interfaces, multiple
network hops may be needed for one node to exchange data
with another across the network.[1] Ad hoc network
technology can provide an extremely flexible method of
establishing communications in situations where
geographical or terrestrial constraints demand a totally
distributed network system without any fixed based station,
such as battlefields, military applications, and other
emergency and disaster situations.[2]
However, security is an important issue of ad hoc network
especially for security sensitive applications. The intrinsic
nature of wireless ad hoc networks makes them vulnerable
to attacks ranging from passive eavesdropping to active
interfering. There is no guarantee that a routed
communication path between two nodes will be free of
malicious nodes that will, in some way, not comply with the
employed protocol and attempt to interfere the network
operation. Most routing protocol cannot cope with
disruptions due to malicious behavior. For example, any
node could claim that it is one hop away from a given
destination node, causing all routes to that destination to
pass through itself.
In this paper, we introduce the wormhole attack, a severe
attack in ad hoc networks that is particularly challenging to
defend against. The wormhole attack is possible even if the
attacker has not compromised any hosts and even if all
communication provides authenticity and confidentiality. In
the wormhole attack, an attacker receives packets at one
point in the network, “tunnels” them to another point in the
network, and then replays them into the network from that
point. The wormhole attack can form a serious threat in
wireless networks, especially against many ad hoc network
routing protocols and location-based wireless security
systems. For example, most existing ad hoc network routing
protocols, without some mechanism to defend against the
wormhole attack, would be unable to find routes longer than
one or two hops, severely disrupting communication. We
present a technique to identify wormhole attacks in wireless
ad hoc network and a solution to discover a safe route
avoiding wormhole attack.
28
The rest of paper is organized as follows. Section II of this
paper presents the wormhole attacks in details. Section III
studies various solutions to wormhole attack. Section IV
discusses proposed mechanism to prevent ad hoc wireless
network from wormhole attack. Section V concludes paper.
2. Wormhole Attacks
In a wormhole attack, an attacker receives packets at one
point in the network, “tunnels” them to another point in the
network, and then replays them into the network from that
point. For tunneled distances longer than the normal
wireless transmission range of a single hop, it is simple for
the attacker to make the tunneled packet arrive sooner than
other packets transmitted over a normal multihop route, for
example by use of a single long-range directional wireless
link or through a direct wired link to a colluding attacker. It
is also possible for the attacker to forward each bit over the
wormhole directly, without waiting for an entire packet to be
received before beginning to tunnel the bits of the packet, in
order to minimize delay introduced by the wormhole.
The wormhole attack is a particularly dangerous attack
against many ad hoc network routing protocols in which the
nodes that hear a single-hop transmission of a packet
consider themselves to be in range of the sender.
Figure 1. Wormhole attack using out of band Channel
2.1 Classification
There are several ways to classify wormhole attacks.
2.1.1 Depending on whether wormhole nodes put their
identity into packet’s header.[12]
Here we can categorize wormhole attack into two categories:
Hidden Attacks and Exposed Attacks.
In Hidden Attack, Wormhole nodes do not update packets’
headers as they should so other nodes do not realize
existence of them.
In Exposed Attack, wormhole nodes do not modify the
content of packets but they include their identities in the
packet header as legitimate nodes do. Therefore, other nodes
are aware of wormhole nodes’ existence but they do not
know wormhole nodes are malicious.
2.1.2 Based on the techniques used for launching
wormhole attack.[2]
(a) Wormhole using Encapsulation
This mode of the wormhole attack is easy to launch since
the two ends of the wormhole do not need to have any
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
cryptographic information, nor do they need any special
capabilities, such as a high speed wire line link or a high
power source. A simple way of countering this mode of
attack is a by-product of the secure routing protocol ARAN
[10], which chooses the fastest route reply rather than the
one which claims the shortest number of hops. This was not
a stated goal of ARAN, whose motivation was that a longer,
less congested route is better than a shorter and congested
route.
(b) Wormhole using Out-of-Band Channel
This mode of the wormhole attack is launched by having an
out-of-band high-bandwidth channel between the malicious
nodes. This channel can be achieved, for example, by using
a long-range directional wireless link or a direct wired link.
This mode of attack is more difficult to launch than the
previous one since it needs specialized hardware capability.
(c) Wormhole with High Power Transmission
In this mode, when a single malicious node gets a route
request, it broadcasts the request at a high power level, a
capability which is not available to other nodes in the
network. Any node that hears the high-power broadcast,
rebroadcasts it towards the destination. By this method, the
malicious node increases its chance to be in the routes
established between the source and the destination even
without the participation of a colluding node. A simple
method to mitigate this attack is possible if each node can
accurately measure the received signal strength and has
models for signal propagation with distance. In that case, a
node can independently determine if the transmission it
receives is at a higher than allowable power level. However,
this technique is approximate at best and dependent on
environmental conditions. LITEWORP provides a more
feasible defense against this mode.
(d) Wormhole using Packet Relay
In this mode of the wormhole attack, a malicious node
relays packets between two distant nodes to convince them
that they are neighbors. It can be launched by even one
malicious node.
(e) Wormhole using Protocol Deviations
In this mode, a malicious node can create a wormhole by
simply not complying with the protocol and broad casting
without backing off. The purpose is to let the request packet
it forwards arrive first at the destination and it is therefore
included in the path to the destination.
3. Solutions To. Wormhole Attacks
Packet Leash [1] is an approach in which some information
in added to restrict the maximum transmission distance of
packet. There are two types of packet leashes: geographic
leash and temporal leash. In geographic leash, when a node
A sends packet to another node B, the node must include its
location information and sending time into the packet. B
can estimate the distance between them. The geographic
leash computes an upper bound on the distance, whereas the
temporal leash ensures that packet has an upper bound on
its lifetime. In temporal leashes, all nodes must have tight
time synchronization. The maximum difference between any
 (IJCNS) International Journal of Computer and Network Security, 29
two nodes’ clocks is bounded by Δ, and this value should be
known to all the nodes. By using metrics mentioned above,
each node checks the expiration time in the packet and
determine whether or not wormhole attacks have occurred.
If packet receiving time exceed the expiration time, the
packet is discarded.
Capkun et al. [7] presented SECTOR, which does not
require any clock synchronization and location information,
by using Mutual Authentication with Distance-Bounding
(MAD). Node estimates the distance to another node in its
transmission range by sending it one-bit challenge, which
responds to instantaneously. By using the time of flight,
detects whether or not is neighbor or not. However, this
approach uses special hardware that can respond to one-bit
challenge without any delay as Packet leash is.
The Delay per Hop Indicator (DelPHI) [9] proposed by
Hon Sun Chiu and King-Shan Lui, can detect both hidden
and exposed wormhole attacks. In DelPHI, attempts are
made to find every available disjoint route between sender
and receiver. Then, the delay time and length of each route
are calculated and the average delay time per hop along
each route is computed. These values are used to identify
wormhole. The route containing wormhole link will have
greater Delay per Hop (DPH) value. This mechanism can
detect both types of wormhole attack; however, it cannot
pinpoint the location of wormhole. Moreover, because the
lengths of the routes are changed by every node, including
wormhole nodes, wormhole nodes can change the route
length in certain manner so that they cannot be detected.
Hu and Evans [6] use directional antennas to prevent
the wormhole attack. To thwart the wormhole, each node
shares a secret key with every other node and maintains an
updated list of its neighbors. To discover its neighbors, a
node, called the announcer, uses its directional antenna to
broadcast a HELLO message in every direction. Each node
that hears the HELLO message sends its identity and an
encrypted message, containing the identity of the announcer
and a random challenge nonce, back to the announcer.
Before the announcer adds the responder to its neighbor list,
it verifies the message authentication using the shared key,
and that it heard the message in the opposite directional
antenna to that reported by the neighbor. This approach is
suitable for secure dynamic neighbor detection. However, it
only partially mitigates the wormhole problem. Specifically,
it only prevents the kind of wormhole attacks in which
malicious nodes try to deceive two nodes into believing that
they are neighbors.
In [9], another statistical approach called SAM
(Statistical Analysis of Multi-path) was proposed to detect
exposed wormhole attacks in Multi-path routing protocol.
The main idea of the proposed scheme SAM is based on the
observation that certain statistics of the discovered routes by
routing protocols will change dramatically under wormhole
attacks. Because wormhole links are extremely attractive to
routing
requests so it will appear in more routes than normal links.
By doing statistics on the relative frequency of each link
appear in the set of all obtained routes, they can identify
wormhole attacks. This technique is only used to detect
Vol. 2, No. 9, September 2010
exposed attacks. It is unable to detect hidden attacks because
in this kind of attack wormhole links does not appear in
obtained routes.
In [10], the author proposed two statistical
approaches to detect wormhole attack in Wireless Ad Hoc
Networks. The first one called Neighbor Number Test bases
on a simple assumption that a wormhole
will increase the number of neighbors of the nodes (fake
neighbors) in its radius. The base station will get
neighborhood information from all sensor nodes, computes
the hypothetical distribution of the number of neighbors and
uses statistical test to decide if there is a wormhole or not.
The second one called
All Distance Test detects wormhole by computing the
distribution of the length of the shortest paths between all
pairs of nodes. In these two algorithms, most of the
workload is done in the base station to save sensor nodes’
resources. However, one of the major drawbacks is that they
can not pinpoint the location of wormhole which is
necessary for a successful defense.
Possible solutions to wormhole attacks proposed by different
researchers are discussed in this section. The detection of
wormhole attacks that does not need any special hardware
and additional information is proposed in this paper.
4. Proposed Detection Mechanism
In this section the proposed wormhole detection mechanism
is discussed in detail. This mechanism does not need any
special hardware or synchronized clocks because it only
considers its local clock to calculate the RTT.
4.1 Network model and assumptions
The network is assumed to be homogeneous (all network
nodes contain the same hardware and software
configuration), static (network do not move after
deployment), and Symmetric (Node A can only
communicate with node B if and only if B can communicate
with A). All nodes are uniquely identified.
To make detection, it is based on the RTT of the
message between successive intermediate nodes. The
consideration is that RTT between two fake neighbors or
two wormhole links will be considerable higher than that
between two real neighbors.
This proposed mechanism consists of two phases. The first
phase is to find route between source and destination. In
Second phase, it calculates the RTT of all intermediate
nodes and detect wormhole link in route.
4.2 Phase 1: Route Finding
In the first phase, node sends the route request (RREQ)
message to the neighbor node and save the time of its RREQ
sending TREQ. The intermediate node also forwards the
RREQ message and saves
TREQ of its sending time. When the RREQ message
reaches the destination node, it sends route reply message
(RREP) with the reserved path. When the intermediate node
receives the RREP message, it saves the time of receiving of
30
RREP. The assumption is based on the RTT of the route
request and reply. The RTT can be calculated as
RTT= TREP – TREQ ………….. (1).
All intermediate nodes save this information and then send
it also to the source node.
4.3 Phase 2: Wormhole Attack Detection
In this phase, the source node calculates the RTT of all
intermediate nodes since wormhole attack launched by
adversary intermediate nodes there is no need to calculate
RTT between source to first node and last node to
destination. It calculates the RTT of successive intermediate
nodes and compares the value to check whether the
wormhole attack can be there or not. If there is no attack,
the values of them are nearly the same. If the RTT value is
higher than other successive nodes, it can be suspected as
wormhole attack between this link. In this way the
mechanism can pinpoint the location of the wormhole
attack.
Figure 2. Time of forwarding RREQ & receiving RREP.
4.4 Calculation of RTT
In this subsection, the detailed calculation of the RTT is
discussed. The value of RTT is considered the time
difference between a node receives RREP from a destination
to it send RREQ to the destination. During route setup
procedure, the time of sending RREQ and receiving RREP
is described in Figure 2. In this case, every node will save
the time they forward RREQ and the time they receive
RREP from the destination to calculate the RTT and send
these values to source node. The source node is in charge of
calculating all RTT values between intermediate nodes
along the established route.
Given all RTT values between nodes in the route and
the destination, RTT between two successive nodes, say A
and B, can be calculated as follows:
RTTA,B = RTTA – RTTB …………….. (2).
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
Where RTTA is the RTT between node A and the
destination, RTTB is the RTT between node B and the
destination.
For example, the route from source (S) to destination (D)
pass through node A, and B so which routing path includes:
S → A → B → K→L→D
whereas T(S)REQ, T(A)REQ, T(B)REQ , T(K)REQ,
T(L)REQ, T(D)REQ is the time the node S, A, B, K, L, D
forward RREQ and (S)REP, T(A)REP, T(B)REP, T(K)REP
, T(L)REP ,T(D)REP is the time the node S, A, B, K, L, D
forward REP.
Then the RTT between S, A, B, K, L and D will be
calculated based on equation (1) as follows:
RTTA = T(A)REP – T(A)REQ
RTTB = T(B)REP – T(B)REQ
RTTK = T(K)REP – T(K)REQ
RTTL = T(L)REP – T(L)REQ
And the RTT values between two successive intermediate
nodes along the path will be calculated based on equation
(2):
RTTA,B = RTTA – RTTB
RTTB,K = RTTB – RTTD
RTTK,L = RTTB – RTTD
Under normal circumstances, RTTA,B RTTB,K RTTK,L
are similar value in range. If there is a wormhole line
between two nodes, the RTT value may considerably higher
than other successive RTT values and suspected that there
may be a wormhole link between these two nodes.
Compare to another RTT based technique[12] our technique
has lesser number of calculations. Our technique is based on
the fact that wormhole attack is launched by intermediate
nodes therefore there is no need to calculate RTT between
source node to first node and RTT between last node to
destination node. By doing so, we can reduce number of
calculations which in turn speed up the wormhole attack
detection process.
5. Conclusions
In this paper, we have introduced the wormhole attack, a
powerful attack that can have serious consequences on many
proposed ad hoc network routing protocols. The
countermeasures for the wormhole attack can be
implemented at different layers. For example, directional
antennas are used at the media access layer to defend
against wormhole attacks, and packet leashes are used at a
network layer. To detect and defend against the wormhole
attack, we proposed an efficient mechanism based on the
RTT of the route message. The significant feature of the
propose mechanism is that it does not need any specific
hardware to detect the wormhole attacks and it also reduces
number of RTT calculations. Our mechanism is better than
 (IJCNS) International Journal of Computer and Network Security, 31
Vol. 2, No. 9, September 2010

other RTT based mechanisms since it re-quires lesser Authors Profile

number of calculations to detect wormhole attacks.
References
[1] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru,
and H Rubens, “Mitigating Byzantine Attacks in Ad
Hoc Wireless Networks,” Department of Computer
Science, Johns Hopkins University, Tech. Rep. Version
1, March 2004
[2] Levente Buttyán, László Dóra, István Vajda: Statistical
Wormhole Detection in Sensor Networks. Second
European Workshop on Security and Privacy in Ad Hoc
and Sensor Networks (ESAS 2005) Visegrád, Hungary,
July 13-14, 2005: 128-141
[3] S. Capkun, L. Buttyán, and J.-P. Hubaux, SECTOR:
Secure Tracking of Node Encounters in Multi-hop
Wireless Networks,” in Proceedings of the 1st ACM
workshop on Security of ad hoc and sensor networks
(SASN 03), pp.2132, 2003.
[4] L. Hu and D. Evans, “Using Directional Antennas to
Prevent Wormhole attacks,” in Network and Distributed
System Security Symposium, 2004.
Ajit Singh is currently working as
Associate Professor in Dept. of Computer
Science & Engineering, VCT Kumaon
Engineering College, Dwarahat (Almora),
India. He is having around 11 year teaching
experience. His area of Interest is Artificial
Intelligence.
K. S. Vaisla received the Graduate and Post
Graduate degrees from University of
Rajasthan, Jaipur in 1994 and 1998,
respectively. Presently he is working as
Associate Professor (Computer Science &
Engineering) in Kumaon Engineering
College (A Govt. Autonomous College),
Dwarahat (Almora) – Uttarakhand.
Interested field of research are ICT impact on
G2C of e-Governance, Data Warehouse and Mining, Complex /
Compound Object Mining, IBIR. Authored many research papers
in International / national journals/conferences in the field of
computer science and also many books in reputed publishing
house.

[5] L. Hu and D. Evans, “Using Directional Antennas to

Prevent Wormhole attacks,” in Netwotrk and
Distributed System Security Symposium, 2004
[6] Y. Hu, A. Perrig, and D. Johnson,“Packet leashes: A
defense against wormhole attacks in wireless
networks.,” in INFOCOM, 2003.
[7] Issa Khalil, Saurabh Bagchi, and Ness B. Shroff,
“Liteworp: A lightweight countermeasure for the
wormhole attack in multihop wire-less networks.,” in
DSN, 2005, pp. 612–621.
[8] Lijun Qian, Ning Song, and Xiangfang Li. Detecting
and locating wormhole attacks in Wireless Ad Hoc
Networks through statistical analysis of multi-path.
IEEE Wireless Communications and Networking
Conference -WCNC 2005.
[9] Hon Sun Chiu King-Shan Lui, DelPHI:
WormholeDetection Mechanism for Ad Hoc Wireless
Networks, International Symposium on Wireless
Pervasive Computing ISWPC 2006.
[10] T. V. Phuong, Ngo Trong Canh: Transmission
Time-based Mechanism to Detect Wormhole Attacks.
IEEE Asia-Pacific Services Computing Conference
2007.
[11] V. T. Phuong, Le Xuan Hung, Young-Koo Lee,
Heejo Lee, Sungyoung Lee, TTM: An Efficient
Mechanism to Detect Wormhole Attacks in Wireless
Ad-hoc Networks, Wireless Sensor Network Track at
IEEE Consumer Communications and Networking
Conference (CCNC), Las Vegas, USA, Jan 11-13, 2007.
[12] J. Zhen and S. Srinivas. Preventing replay attacks
for secure routing in ad hoc networks. Proc. of 2nd Ad
Hoc Networks & Wireless (ADHOCNOW' 03), pp.
140--150, 2003.
32
Detection of Selective Forward Attack in Mobile
Wireless Sensor Networks
S.Sharmila1, and G.Umamaheswari2
1
Research Scholor, Anna University, Coimbatore
hod@dit.psgtech.ac.in
2
Assistant Professor, Department of Electronics and Communication Engineering,
PSG College of Technology
Abstract: Mobile Wireless sensor networks are composed of
a large number of wireless sensors and they require a careful
consumption of available to prolong the life time of the network.
From the security point of view, detecting schemes must be very
light to increase the life time of the network. In this paper,
defensive mechanism is proposed to detect selective forward
attack in mobile wireless sensor networks. The proposed
mechanism is simulated with Berkeley Mica 2 Motes
configuration in Network Simulator Version 2. The scheme is
evaluated in terms of packet delivery ratio and throughput. The
simulation results show that the scheme achieves high detection
rate.
Keywords: Selective Forward attack, Dynamic Window,
Mobile Wireless Sensor Networks.
1. Introduction
Recent advances in wireless communications and micro
electro-mechanical system (MEMS) technologies have
enabled the development of low-cost, low power and small
size wireless sensor nodes. Wireless sensor nodes perform
significant signal processing, computation and network self
configuration to achieve scalable, robust and long-life
networks. Many sensor nodes are capable of local processing
to reduce communications and energy costs consequently.
Wireless sensors have been used in hazard alarms,
monitoring and tracking wild life, heartbeat monitoring for
patients, habitat monitoring, and many more applications.
In Wild life applications, sensors are cast in the field as well
as equipped on animals to monitor. The self organized
nodes are mobile as animals move. In telemedicine
applications and human tracking applications, sensors are
attached to patients and thus constitutes mobile wireless
sensor network. Certain applications such as rescue
management, emergency care and military applications
require secure information transfer between the source and
destination [1]. Considering an example where sensors are
used to sense the blood pressure and temperature of patients
and reports to the intensive care unit of the hospital. The
patients are monitored remotely. In this case, if any data is
hacked by malicious node lead a chaos .It is necessary to
detect the malicious node in the network.
In Selective forward attack malicious node selectively
drops the packet and degrades the performance of the
network. This paper focuses on detection mechanism against
selective forward attack based on Dynamic Source Routing
Protocol for mobile wireless sensor networks.
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
1.1 Motivation
Wireless sensor networks are vulnerable to many routing
attacks such as Selective forward attack , HELLO flood
attack , sinkhole attack, Wormhole attack ,etc because of
broadcast nature of transmission medium, resource
limitation on sensor nodes and uncontrolled environments
where they are left unattended [7]. The existing security
mechanisms are inadequate and new approaches are
required for each routing attack since each attack has its
own nature and characteristics. The major aim of this work
is to detect the selective forward attack which also meets the
security goals such as data authenticity, integrity, and
availability.
The major security objectives are as follows:
• To design defensive mechanisms against
selective forward attack considering the resource
constraints of mobile nodes.
• To identify the malicious node on forward
routing path.
• To provide data authenticity and data
integrity.
• To improve the detection accuracy and data
availability.
1.2 Our Contribution
Selective forwarding is one of the routing methods. The
packet is forwarded to the destination node/base station
based on routing table and network conditions. The
defensive mechanism against selective forward attack based
on Dynamic Window based concept is formulated. Window
refers the session between the complete transmission of
message from the source and destination node/base station.
The message transmission timings of the sessions are
different. With the particular window malicious node is
identified based on the cumulative acknowledgement packet
and drop ratio of the node which lies in the forward routing
path. It is detected by checkpoint, source node, ordinary
node, and node id. Once the node is identified, it is removed
from the network and the packet is routed through the
alternate path. Detection accuracy also depends upon the
transmission and reception range since the nodes are
mobile. Simulation results show that the communication
overhead is slightly high but the detection accuracy is 90%
when the drop ratio is less.
The remaining of this paper is structured as follows. In
Section II represents the Back ground, reviews the existing
works, and proposes the detection scheme. Sections III
 (IJCNS) International Journal of Computer and Network Security, 33
discuss the performance evaluation. Section IV concludes
with the scope of the scheme in future.
2. Background and proposed Scheme
This section describes the selective forward attack and
reviews the existing works.
2.1 Selective Forward Attack
Figure 1 shows an example of selective forward attack. It
drops packet and refuses to forward the message to neighbor
node. If the malicious nodes drop the entire message, the
node is called black hole. Malicious node can forward the
message in a wrong path and gives unfaithful routing
information in the network. It creates unnecessary packet
delay and it leads to confusion in forwarding the message. It
also creates false information and transmission in the
network. It is difficult to detect the malicious node when
there is collision, packet drop due to timer expiry and link
failure, since the nodes are mobile nodes. Selective forward
attack affects the exsisting routing protocols such as DSR,
GPSR, GEAR and Tinos beaconing.
2.2 Review
Selective forward attack may corrupt some mission-
critical applications such as military surveillance and forest
fire monitoring in wireless sensor networks. BinXiao[3][4]
proposed a lightweight security scheme and detected the
selective forward attack using multi-hop
acknowledgements. It has limitations as it requires nodes to
be loosely time synchronized and keep one-way key chains
for authentication. Kim[5] suggested cumulative
acknowledgement based detection. The limitations, data-
reply packets are transmitted through multiple paths. But,
the communication overhead will be high because of
cumulative acknowledgement and there by reducing the
node energy. Y.B.Reddy[7] proposed a new framework to
detect the selective forward attack using game theory model,
the detection of a malicious node is found between the
selective acknowledgement points irrespective of the
dropping rate. J.Brown[8] proposed a sequential
probability ratio test for detecting the attacks in
heterogeneous sensor networks. Mathematical foundations
are also be helpful in detecting the attack. The major
concept of the existing works adopted a scheme in routing
protocols and analyzed its performance in terms of
communication overhead, network throughput, and energy
consumption. In this paper, the light weight scheme based
on dynamic source routing protocol for detecting the attack
Vol. 2, No. 9, September 2010
is used. The limitation of the scheme is high communication
overhead and high energy consumption is high.
2.3 Assumptions
Seven assumptions are proposed in detection mechanism.
First, the Nodes are mobile and transmit the messages
during different sessions. Second, the size of the window is
constant i.e. the total time duration for transmission of
messages per session is kept constant. Third, the Dynamic
Source Routing protocol is implemented in nodes. Fourth,
during a particular session topology is static .Fifth; the node
id is different per session. Sixth, the malicious node only
drops maximum number of packets. And finally, the
messages are authenticated using one-way hash chains.
2.4 Detection Scheme
The existing detection scheme consists of inclusion of
packets such as cumulative acknowledgement of each node,
event packet, acknowledgement packet, control packets and
alert packet. With the inclusion of packets for detections,
communication overhead will be more. The proposed
detection schemes consist of cumulative acknowledgement
packet between the check points of the forward path and the
check point generates the trap message and is sent to the
next node of the forwarding path.
The different phases of the proposed mechanism are as
follows:
1. Node id assignment phase and location
phase
2. Topology identification
3. Forward route selection path
4. Check Point assignment
5. Data transmission
6. Malicious node detection
2.4.1 Node id and Location Phase
Node id is activated only when the transmission is
required. Node id is configured dynamically per session by
the sink node/base station. Whenever the sink node/base
station needs any information it broadcasts the set of node
ids and activates the timer. Node id is valid until timer
expires. Base station stores the allotted node id temporarily
for each session temporarily.
2.4.2 Topology identification phase
After receiving the node id, the node identifies its
neighbor node and stores the next hop neighbor id to dentify
the topology of the network.
2.4.3Forward route selection path
The source node sends the route_ request packet to the
destination node/base station. It responds the route_reply
packet with the selected forward path through which data is
transmitted. Forward path is selected based on the Dynamic
source routing protocol.
2.4.4Check point selection phase
Base station/Destination node assigns the nodes to be
the check point in the forward path randonly. In the
downstream link, check point generates a trap message after
the successful reception of the packet.
2.4.5Data transmission phase
Once the forward path is selected, data is transmitted
from the source to the base station/destination node. Upon
successful reception of data, each node sends an
acknowledgement packet to its next node which lies in the
forward path. The acknowledgement packet of next node
34 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

and previous node is forwarded to next neighbor node in the

forward path. In this way ,acknowledgement packets are 1
32
31
cumulated. Once the check point receives the cumulative 2 41
35
6
acknowledgement packet, it generates the trap message and 46
36
30 47
sends to its next node in the forward path. If the destination 14
20
13 45 37
receives the trap message generated by the last check point, 17
21 38
it shows that the data has been successfully transmitted from 28
5

44
the source and the destination. 48
9
7
43
16
22 39
2.4.6Detection process 49
15
12

8
23
10 24
Step: 1 Base station issues the node id and it is dynamic 50
42
40
18
and unique for a window. 11 25
26
Step 2: Base station sends the data request to all the 33
19
nodes. 3
4
27
Step 3: Source nodes send a route request packet to the 34
B
base station. S

Step 4 : Base station sends a route reply packet to the Window-A

source station . 46 11 44
99 19
Step 5: Base station selects the node in the forward path 14
9
as check points. 45 18 77
14 27 43
Step 6. : Source node sends the data packet to the next 26
78 88
node which lies in the forward path. Upon receiving the data 13
91 66 23
the node sends the acknowledgement packet and the 44
21
5

receiving node sends its acknowledgement packet along 22 6 48

54
15
with the data packet and thus frames the cumulative 52 17
62
43
acknowledgement. 26 4
3 36
Step 7: Once the check point receives the cumulative 83
17
44
acknowledgement, it generates the trap message and it is 81 80 B
5
forwarded along with the data to the next check point. 2
S
7 8
Step 8: Upon receiving the cumulative acknowledgement 1
10 72
packet and the trap message, the base station detects the 98 54

exact malicious node in the forward path based on the Window B

negative acknowledgement. If any node holds its id after a Figure 2. Node-id Detection
predetermined time interval of the window that node is also
suspected as a malicious node and is illustrated in 2.5 Detection Analysis
Algorithm. The proposed detection mechanism has been analyzed
Step 9: Once the malicious node is detected it is removed based on following background:
from the network and the packet is forwarded through the Scenario 1: Based on node id
alternate path. If any node holds the id after the timer expires, that node
Algorithm: Determining malicious node is suspected to be a malicious node. The value of the timer
Input:
CAKP : A cumulative packet received
depends on the number of hops in the forward routing path
{Datan,ACKo,ACK1,…….ACKn} and maximum transmission delay. Packet delivery ratio,
Trap :{check point id, rds, node id of NACK} throughput are further analyzed to confirm the node to be a
n: Total # of ACKs in CAKP
m: Total # of nodes in the forwarding path
compromised node. In Fig 2. the node id’s of Window A
1. create a list of responses [] and traps[] and Window B are different except the node ids such as
of length m 45,15 and 21 and such nodes are treated as malicious nodes.
2. for i=0,….n-1 Scenario 2: Check-point detection
responses [n-1]<- ack n-i 46 11 44
99 19
remove ack n-i from CAKP 14
9
if ack n-I == n then 45 18 77
return {rds=1 } 14 27 43
88
67 78
else {rds=0} 13
91 66 23
retrun ckpid
44 51
endif 22 6 16
21
3. for i=0,……., n-1 54
15
52 17
traps [n-i] <- nids(nack) 62
43
remove and ckpid and rds from 26
3
4
36
trap[] 83
17
4. for i=0,……., n-1 44
81 80 B
5
if ckpidi [trap] != ckpidi+1 then 2
S
if (rdstrap[]==1) then 1
7 8
return ckpids 10 72
98 54
else
return the nids(nack) Figure 3. Check-point detection
end if
 (IJCNS) International Journal of Computer and Network Security, 35
Vol. 2, No. 9, September 2010

The Check-points are randomly selected, if the base mobile nodes. Overlap of window causes the packet drop in
station/destination selects the malicious node as check- the network. Check point should not misjudge an ordinary
points that generate acknowledgement and trap message on node to be a compromised node. In Fig. 5 Node 4 drops the
its own and forward the packet to its neighbor node. In that cumulative acknowledgement packet and it is treated as
case, detection of malicious node may be suspected based on compromised node. Based on the Negative
the node id and packet delivery ratio. Check point id is valid acknowledgement, the compromised node is identified.
until window expires. In Fig. 3 Node 26 and 67 are source
Destina
nodes whereas BS is the base station and it is treated as Source 1 5 8
tion
destination node and forward paths are 26-54-22-6-52-36
and 67-13-44-78-21-88-17-62 respectively. Check points are
22, 16 and 21.The forward path from the source 26 to base Figure 5. Node as Compromised Node
station does not contain any malicious node. But the forward
path from 67 to the Base station contains 21 as check point Format of the Cumulative Acknowledgement packet
but it is also a malicious node. In this case, check point is a Dat Ac Ac … Ack NACK
malicious node and it is detected based on node id and a k0 k1 N
packet drop ratio. Format of the Trap message
Scenario 3: Source node detection Check point RDS Node ids of NACK
The base station broadcasts the request to nodes, and the Node id
malicious node responds to the base station with route
request packet station to gather the routing information and If NACK is set to 0, it denotes that it is a negative
misguide the route in the network. Fig. 4 shows that acknowledgement of data packet and if itis set to 1, it
malicious node 67 voluntarily responds to the base station denotes that it is a negative acknowledgement of route, if the
after receiving the route request and misguides the route. node has not seen the route packet sent by the base
The actual forward path is 67-6-16-52-3 instead of 67-13- station/destination.
44-78-21-88-17-62. The node is detected based on the Received data successfully (RDS=1) denotes that data is
packet drop ratio and based on cumulative received upto the particular check point indicated by its
acknowledgement packet. node id.Once the destination/base station identifies the
46 11 44
99
14
19 malicious nodes, the destination broadcasts the node id of
9
NACK packet .Source requests the destination to send the
45 18 77
14 27
88
43 alternate forward path.
67 78
91 66
13
23 3. Performance Evaluation
44
21
51 The proposed algorithm is implemented in ns2 [6] and
22 6 16
54 the performance is evaluated in terms of network throughput
15
52 17
62 and packet delivery ratio
43
26
3
4
36
Evaluation Metrics:
83
17 The following metrics [6][8] evaluate the effectiveness of
44
81
5
80 B the proposed detection Scheme.
S
2
7 8
Packet delivery ratio: It is the ratio of number of packets
1
10 72 received and the number of packets sent.
98 54
Throughput: This gives the fraction of channel capacity
Figure 4. Source Node Detection. used for data transmission.
Communication Overhead: It is the ratio of overheads
Scenario 4: Node can be a compromised node with and without the detection scheme.
The existing methods such as CHEMAS, CADE, Average Latency: Mean time in seconds taken by the
[2][3][4][5] detect any two nodes in the selective forward packets to reach their respective destination.
path as malicious node . In CHEMAS, authors suggest that Undetected ratio: It is the ratio of number of undetected
malicious node lies within the rang of check points. In maliciously dropped packets to the total number of
CADE, authors present the detection mechanism to identify maliciously dropped packets.
the two malicious nodes in the forward path. The proposed 3.1 Simulation parameters
mechanism detects the exact compromised nodes. Check The parameters used in our simulations are shown in
point generates a trap message and forwards it to the next Table 1. Window is static and malicious nodes are randomly
check point stating that there is no packet drop exists upto located on the forward paths of source and base station.
that check point. Between the two check points, Node ids, check points, source and destination are assigned
acknowledgements of each node are cumulated if the data before the transmission starts.
has been transmitted successfully. Once the check point
receives the cumulative acknowledgement successfully then
it generates the trap message. If any node between the
check points fail to forward the data packet, Cumulative
acknowledgment and trap message, that node is suspected to
be compromised node. Cumulative Acknowledgment packet
can also drop by collision and timer expiry since nodes are
36 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Table 1: Parameters used in simulations During the data transmission, malicious nodes are
Area 2000mX2000m detected, and the authors have detected that node 2 is a
Nodes 50 check point node and also malicious node and other
Packet size 512 bytes malicious nodes are 7, 14 and 41 as shown in Fig. 8.
Transmission protocol UDP
Application Traffic CBR
Transmission rate 10 Mbits/sec
Pause time 24.73 sec
Maximum speed 31sec
Simulation time 100 sec
Propagation model Radio Propagation
Maximum Malicious node 50
Type of attack Selective forward attack
Examined DSR

3.2 Performance Results

In this section, the performance of the proposed
detection mechanisum is evaluated in terms of packet
delivery ratio and network throughput. The check points,
source node and destination nodes with its id are depicted
in the Fig. 6.

Figure 8. Detection of Compromised Nodes

In the simulation, the authors used different types of field

Figure 6. Node Deployment Phase
Few packet drops are occurred during the data
transmission Phase and are indicated in Fig. 7.
Figure 7. Data transmission Phase
configurations including the forward path nodes which are
moving randomly, pausing for a fixed time of 25 seconds
and moving randomly in a 2000m X 2000m area. The
simulation time is 100 seconds and results are taken after 50
simulation runs. The same trends are observed in the results.
The Constant Bit Rate (CBR) traffic is introduced while
data transmission to check the detection accuracy. It is
observed that Node 15 has dropped the packets due to CBR
traffic and the proposed mechanism does not suspect the
node to be a compromised node. The undetected ratio is 20
% which proves that detection accuracy is 80%. Further, it
is observed that though the packet drop occurs with the
overlap of different windows. The proposed mechanism does
not suspect the nodes as compromised node because of
different time interval and dynamic node id configuration. It
is observed that the packet drop due to traffic exists due to
overlap of the window. During the time interval from 30
seconds to 40 seconds and from 95 seconds to 96 seconds,
the packet is dropped only due to CBR traffic window
overlap. Few nodes hold the node id after the expiry of
timer. Its packet delivery ratio is 30% where as packet
delivery of normal nodes is 100% and it has been detected
as compromised node. This is depicted in Fig. 9. It is also
shown that packet delivery rate of normal nodes are from
70% to 100% and compromised node is only 30%.
It is observed that Node2 is a check point and is detected
as compromised node. The packet delivery ratio is 80% like
normal nodes. The proposed scheme detects the check point
based on node id. The timer of that particular node holds
above the maximum time delay. The authors observed that
timer of normal node id is 40 seconds but the timer of check
point is 120 seconds for a specific window. Fig. 10 depicts
the packet delivery ratio of check point node, normal node,
and malicious node. Further, the authors observed that
malicious node in the forward path drops 270 packets /100
 (IJCNS) International Journal of Computer and Network Security, 37
Vol. 2, No. 9, September 2010

seconds and throughput is 47 packets /second .The average

latency is 38.26 seconds after the detection of malicious
node and 50 seconds before the detection of malicious node.

Figure 11. Packet drop ratio

Figure 9. Packet Delivery Rate of normal nodes are from

70 % to 100% and compromised node is only 30 %.

Figure 12.Throughput
The researcher observes that the number of packets sent
and throughput vary due to the presence of malicious nodes.
In Fig. 11 and Fig. 12, the malicious nodes increase the
packet drop ratio and decrease the throughput of the
network, the presence of malicious node affects the
performance of the network. A cumulative
acknowledgement is transmitted up to the check point and
thus reduces the communication overhead in the forward
path.
The packet drop rate of the normal nodes is significantly
different from that of the compromised node. The proposed
detection scheme can achieve 90% of detection rate when
drop rate is less.
The performance of the scheme is compared with the
other existing schemes and it is tabulated in Table 2. The
overall performance of the proposed scheme is better than
the existing schemes. Though the scheme consumes 60% of
node energy, it provides better accuracy than the existing
schemes.

Figure 10. Check point as compromised node

38 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Table 2: Comparision with the Exsiting Schemes

References
Parameters CHEM CAD SPR Game Multi- Prop
AS E T theory hop osed [1] C.Karlof and D. Wagner, “Secure Routing in Sensor
Acknowl meth
edgement od
Networks: Attacks and Countermeasures”, In the
Detection High Not Hig Channe 95% 90% Proceedings of first IEEE International Workshop on
rate analy h l rate when Sensor Network Protocols and Applications, 2003.
zed and channel [2] H. Lee, T. Cho, “Fuzzy-Based Reliable Data Delivery
droppi error rate
ng rate is 15% for Countering Selective Forwarding in Sensor
Communicati Reason Not smal Not high high Networks”, Lecture Notes in Computer Science, pp.
on overhead able analy l analyze 535-544, 2007.
zed d
Includes base No No No No No no
[3] B. Xiao, B. Yu, and C. Gao, “CHEMAS: Identify
station for Suspect Nodes in Selective Forwarding Attacks”,
detection Journal of Parallel and Distributed Computing, Vol. 67,
Time Yes Not Yes Yes Not yes Issue 11, pp. 1218-1230, 2007.
synchronizati requi required
on red [4] B. Yu and B. Xiao, “Detecting Selective Forwarding
Identifies the Yes Not yes No yes yes Attacks in Wireless Sensor Networks”, in the
original analy Proceedings of. 20th International Sympsium on
reason for zed
packet loss Parallel and Distributed Processing (IPDPS 2006),
Security No Yes No No No yes pp.1-8, 2006.
against [5] Young Ki Kim, Hwaseong Lee, Kwantae Cho, and
sinkhole
attack
Dong Hoon Lee, “CADE:Cumulative
One-way key Requir Not No No Not requi Acknowledgement Based Detection of Selective
chains ed requi required red Forwarding Attacks in Wireless Sensor Networks”, in
the Proceedings of third International Conference on
red
Convergence and Hybrid Information Technology,
Duplicate None Data- No No Data Data
2008.
packet reply packet pack [6] N Bhalaji and Dr A Shanmugam, “Reliable Routing
et against Selective Packet Drop Attack in DSR based
ACK Alway pack No No none pack MANET”, Journal of Software, Vol.4 , No.6,2009.
generation s et is et is [7] Yenumula B reddy and S .Srivathsan, “Game Theory
drop dropp
Model for Selective Forward Attacks in Wireless Sensor
Networks”, in the proceedings of 17th Mediterranean
ped ed
conference on control and automation, Greece, June
Energy Not Not Not Not Not 60% 2009.
Consumption analyze analy anal analyze analyzed [8] Jeremy brown, Xiaojiang Du, “Detection of Selective
d zed yzed d Forward Attacks in Heterogeneous Sensor Networks”,
Nodes Station Stati Stati station stationary Mobi published in the Proceedings of ICC 2008.
ary onary onar ary les [9] Zia, T.A., and Zomaya, A.Y. “Secure Localization in
Wireless Sensor Networks. In the Proceedings of fourth
y
Asian Conference on Communication Systems and
4. Conclusions Networks (AsiaCSN 2007), April 2-4, 2007.
This paper has presented a dynamic window based [10] Zia, T.A., and Zomaya, A.Y. “Malicious Node
mechanism to detect selective forward attack. In packet Detection Mechanism in Wireless Sensor Networks” ,
forwarding routing algorithms need the detection in the Proceedings of International Conference on
mechanisms to identify the exact compromised nodes. A Network Security (ICONS 2007), Jan 29-31, 2007.
number of recent works have been studied before proposing [11] Zia, T.A., and Zomaya, A.Y, “Security issues in
this new methodology The drawbacks of the existing scheme Wireless Sensor Networks. In the Proceedings of
is compromised nodes may be any two nodes in the forward International Conference on Systems and Networks,
path and lies between the check points . We overcome the 2006.
drawbacks and we detected the exact compromised node [12] Zia, T.A., and Zomaya, A.Y. “A Secure Triple Key
which lies in the forward path base on Negative Management Scheme for Wireless Sensor Networks”.
acknowledgement, node id, and packet drop ratio. The In the proceedings of IEEE INFOCOM 2006.
simulation using 50 nodes has proved the effectiveness of
the proposed algorithm. The proposed scheme is equipped
with technique to identify and isolate the malicious nodes
from the active data forwarding and routing. Further studies
are required to reduce the packet drop due to overlap of
window and to evaluate the detection accuracy of proposed
detection mechanism using probabilistic approach.
 (IJCNS) International Journal of Computer and Network Security, 39
Vol. 2, No. 9, September 2010

Authors Profile
S.Sharmila received the B.E and M.E
degrees in Electronics and Communication
Engineering and Applied Electronics from
Bharathiyar University and Anna University,
India in 1999 and 2004 respectively. Her
research interest includes wireless sensor
networks,
computer networks and security.

G. Umamaheswari is Assistant professor in

Electronics and Communication Department,
PSG College of Technology, Coimbatore,
India. She completed her B.E. degree in
Electronics and Communication from Madras
University in 1989 and M.E. in Electronics
Engineering from Anna University, in 1992.
She is now supervising 5 Ph.D. candidates
40 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Factors that Influence Learner-Content Interaction in

the Online Top-Down Modeling Model
Environment
Sha Li1, Shirley King2, Yujian Fu3
1
Alabama A&M University, School of Education
4900 Meridian Street, Normal, AL 35762, USA
sha.li@aamu.edu
2
Alabama A&M University, School of Education
4900 Meridian Street, Normal, AL 35762, USA
shirley.king@aamu.edu
3
Alabama A&M University, School of Engineering & Technology
4900 Meridian Street, Normal, AL 35762, USA
yujian.fu@aamu.edu

Abstract: This article explores the learner-content interaction
in the Online Top-Down Modeling Model networked learning
environment. It used a graduate computer literacy course as a
case to explore the phenomenon. The findings of this study
expose the major factors that influenced learners to actively use
online learning resources and the factors that negatively
affected the learners in using online learning resources. It
discusses the strategies to design effective online learning
resources so as to motivate students into active involvement in
the Internet assisted resources-based learning.
Keywords: learner-content interaction, networked learning,
intrinsic factors, extrinsic factors, distance education.
1. Introduction
This section introduces the background of the learner-
content interaction in the networked learning environment.
1.1 The Background
Internet is impacting education profoundly. The Internet’s
capability of transferring information and multimedia
empowers the delivery of instructional materials. The
possibility of using online learning resources enables
educators with a platform to generate creativity and increase
the effectiveness of teaching and learning. The learning
interaction has always been the core issue related to the
quality of network assisted education [14]. More and more
varieties of learning resources are put online, leading to
more strategies for designing and using Internet-based
learning resources. Resource-based learning emerges with
the increasing use of the Internet [11]. The concept of
interaction is an essential element of the seven principles of
good practice in education [4]. These practices include:
encouraging faculty/student contact; developing reciprocity
and cooperation; engaging in active learning; providing
quick feedback; emphasizing the amount of time dedicated
to a task; communicating high expectations; and respecting
diversity. Wagner [24] defines interaction as “reciprocal
events that require at least two objects and two actions.
Interactions occur when these objects and events mutually
influence one another.”
Northrup [15] describes the purposes of the interaction as 1)
Interaction for content, 2) Collaboration, 3) Conversation, 4)
Intrapersonal interaction, and 5) Performance support.
Hirumi [12] indicates in his study that there are three levels
of interaction: Level I—within the learner, Level II—
between the learner and human/non-human resources, and
Level III—between learner and instruction. In summary, the
learner-content interaction has been recognized as very
important among all kinds of interactional perspectives.
The issue of learner-content interaction has caught the
attention of educators [13, 25]. It is a defining characteristic
of education [13]. The learner-content interaction is among
the four types of interactions in distance education [22]. The
four types of interaction have been recognized widely in the
literature as learner-content, learner-learner, learner-
teacher, and learner-interface [27, 28]. The learner-content
interaction is the essential process of learning in which the
learners intellectually interact with the cognitive content
matter. It is regarded an “internal didactic conversation”
when the learner transfers or internalizes knowledge input
in his mental cognitive structure [26]. Learning from a book
is a kind of learner-content interaction. Yet in the network
environment, learning from online resources makes the
learning input richer in variety and more challenging [19,
20, 21]. Thurmond [22] defined interaction as:
…the learner’s engagement with the
course content, other learners, the
instructor, and the technological
medium used in the course. True
interactions with other learners, the
instructor, and the technology results in
a reciprocal exchange of information.
The exchange of information is intended
to enhance knowledge development in
the learning environment. Depending
on the nature of the course content, the
reciprocal exchange may be absent –
such as in the case of paper printed
content. Ultimately, the goal of
interaction is to increase
Understanding of the course content or
mastery of the defined goals.
 (IJCNS) International Journal of Computer and Network Security, 41
The educational theorist Vygotsky [23] argues that learning
is fundamentally a social process. He also contends that the
most fruitful experience in learners’ educational processes
occur when they interact, in a context, with more
experienced partners or adults who provide an “intellectual
scaffold” that allows the learner to achieve a higher level of
skill or understanding than would be possible for the learner
to do alone. Scaffolding provides individualized support
based on the learner's “Zone of Proximal Development”
[23]. In scaffolding instruction as Vygotskey said, a teacher,
or an experienced person, provides scaffolds, or supports, to
facilitate the learner’s development. The student builds on
the prior knowledge and internalizes new information. The
activities provided in scaffolding are just beyond the level of
what the student can do alone. By scaffolding, the learners
can accomplish (with assistance) tasks that would otherwise
be overwhelming or they could not do.
Scaffolding can take many forms. The form should be
contingent on what the learner needs in order to move
forward and achieve a higher level of skill with that support,
until the next level is internalized by the learner and can be
enacted without support of the scaffolding.
In relation to active learning, constructivist learning has
drawn great attention [1, 3]. The constructivist learning
advocates assert that learning is experience based [6, 7]. The
learners bring in different perspectives, cultures, interests
and skills and actively engage in the learning activities.
The learners explore additional resources and brainstorm to
construct their own understanding and enhance learning
through dialogue and joint production of knowledge artifacts
for meaningful learning to occur. Constructivism suggests
that students need to explore subject matter in a broader
context than what is provided in their reading materials—by
sharing experiences and interacting [2]. Within the
constructivist paradigm, the emphasis of learning is on the
learner rather than on the teacher. It is the learner who
interacts with his or her environment and thus gains an
understanding of its features and characteristics. The
teacher is actually a facilitator who supports and guides the
students in the learning process.
Motivation is a component that energizes and directs
behavior toward a goal [8]. Motivation is the energy to
study, to learn and achieve, and to maintain these positive
behaviors over time. Motivation is what stimulates students
to make an effort
to acquire, transform and use knowledge [10, 29].
According
to Groccia, “People study and learn because the
consequences of such behavior satisfy certain internal and/or
external motives.” Without motivation, there would be no
learning.
Resource-based learning (RBL) is one instructional strategy
where students construct meaning through interaction with
a wide range of learning resources. The Internet assisted
resource-based learning empowers learners with a large
amount of information/resources and strategies necessary to
make learning a truly productive and meaningful experience
[5]. The RBL has a strong relationship to Inquiry Learning,
Project-Based Learning and Problem-Based Learning. It is
Vol. 2, No. 9, September 2010
student-centered and allows them to discover knowledge for
themselves in a constructivist manner [9].
When teachers establish or design an effective course with
online learning resources, there needs to be a connection to
the learners. An effective course with learning resources
ready is definitely effective in connecting students to this
highly efficient learning behavior. The students’ needs and
expectations for learning are vital to teachers.
Understanding the students and what motivates students
toward effective learning behavior is conducive to effective
teaching and planning.
Li and his colleague [18] have created an online learning
model, the Online Top-Down Modeling Model at Alabama
A&M University. The purpose of this model is to enhance
the learning effectiveness through the learner-resource
interaction on a graduate course website of FED 529
Computer-Based Instructional Technology at
http://myspace.aamu.edu/users/sha.li. The FED 529 Course
is a computer literacy course for graduate teacher students.
It is taught in a blended format of the online resources and
assisted traditional instruction. It is a project-based
computer literacy class. It includes project creation, problem
solving, hands-on activities and theory-based learning.
Learning is based on a constructivist paradigm. The teacher
teaches, but provides a resource rich course website to
scaffold learners. The course website has plenty of tutorials
and project models such as Word projects, PowerPoint
projects, Excel projects, video production, and web page
design, graphics design and tutorials. The tutorials (in
FAQs) are available online in text and video formats.
Through the integration of the online learning resources
into class instruction, the effective learning outcome occurs,
and the students’ motivation and positive attitude toward the
use of technology-aided learning resource increases [18].
Even though the FED 529 class website provides plenty of
learning resources for learners to access, this kind of
interaction is learner-content, a one-way interaction. Some
two-way interaction takes place in the Blackboard online
learning space, such as discussion, chat room, video
conferencing, email listserv, and bulletin board. The course
website and the Blackboard space both constitute the online
learning platforms for this class. The design of the course
website interface is in Fig. 1.
This article tries to describe the factors that influence the
learners’ behavior in the learner-content interaction in the
Online Top-Down Modeling Model network environment.
Then the statistic data from surveys are analyzed to find the
student perspectives and experiences in relation to the
factors that influence their interaction with the online
learning resources.
There are several factors that commonly related to the
student learning behavior in using online learning
resources:
1) The extrinsic factors: the course content matter, the
supportive resource platform, the course
requirement, trustful and reliable resource
environment, grading policy, and the social
influence.
42
2) The learner’s intrinsic factors: interest, motivation,
expectation to learn, and self efficacy.
1.2 The Extrinsic Factors
Extrinsic factors are factors from the environment that relate
to the students’ motivation of accessing the online learning
resources.
1.2.1 The Course Content Matter
The FED class is a multimedia driven computer class.
Almost every student likes multimedia, such as graphics
design, animation, photo editing, sound editing and video
production. Using multimedia to motivate students to learn
computer literacy skills is the main strategy of this class.
There are plenty of multimedia projects online that are free
to education and students. Those attractive online resources
are the initial motivators to the students to engage learners
in learning, critiquing, creating and to mimicking the
models.
1.2.2 A Supportive Resource Platform
This class is a blended format that uses online support as a
supplement to learning. The classroom provides the face-to-
face interaction, and the online learning resources provide
learner-content interaction for learning purposes. The
website interface is user-friendly and easy to navigate. Once
students found the online learning resource a trustful,
reliable and convenient support, the students’ motivation to
use it increased.
Figure1. The Layout of the Online Top-Down
Modeling Model Site
1.2.3 The Course Participation Requirement
The instructor set the rules for the students to participate in
the online learning activities. Each student must review
three online model projects and tutorials to learn new
projects. They have to post three discussions in each module
to critique other people’s or other teams’ projects on the
Blackboard Discussion Board. For the four modules of the
whole semester, at least twelve accesses to the online models
and twelve discussion postings are required. Actually most
students created more postings than required. The access to
the online communication activities are monitored and
marked for grades. This makes it a disciplinary guideline for
the teacher to monitor and prompt the students to retrieve
and respond to the learning information.
1.2.4 The Social Influence
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
The social influence is essential to the students’ attitude
toward using of the online learning resources. The
experienced students who had this class before or who used
online learning resources successfully often impacted each
other in sharing the information on how to use online
resources successfully.
1.3 The Intrinsic Factors
Intrinsic factors are factors psychologically in the learner.
The intrinsic factors have the most influence to guide the
learners’ behavior.
1.3.1 Interest
Interest is the major factor that stimulates learning. Without
interest, there would be no learning [17]. Our students are
graduate teacher students. Using effective computer-based
projects in teaching has aroused their attention and interest.
The students’ personal interest to learn the multimedia skills
guides them to invest energy and efforts in learning and
searching for the useful resources.
1.3.2 Motivation
Motivation directs behavior toward particular goals;
motivation leads to increased effort and energy, and
increases initiation of and persistence in learning activities
[30]. Since this course stimulates students’ interest, students
are motivated to be involved in the activities. While they
learn, they generate high frequency of using online learning
resources to retrieve information and support.
1.3.3 Personal Goals and Self Expectation
The learner’s personal professional goal and high self
expectation are another factor that transferred into
motivation in learning. The higher self expectation drives
students to aim high and work harder. The more dedicated
workers always expected to see more and create more. The
Internet resources were the easiest channel to meet their
expectation. Those students had a higher frequency of
accessing the online learning resources for their learning
purposes.
2. Method
To verify the students’ perspectives on the factors that
influence their use of online learning resources, a survey is
distributed. Then the descriptive statistic analysis is
conducted. Twenty-nine students in the FED 529 Computer-
Based Instructional Technology course participated in the
survey in the spring semester of 2010. The data are
presented below.
Table 1: Students’ Responses about their Multimedia
Preference related to their learning Style
# Question: My learning style N %
with using multimedia is
_________
I like visual information more
1. 17 59
than others.
I like auditory information more
2. 0 0
than others.
 (IJCNS) International Journal of Computer and Network Security, 43
Vol. 2, No. 9, September 2010

syllabus, multimedia resources, discussion board, digital

3.
I like text information more
0 0
drop box, modules, and to browse the course website out of
than others. interest. From Week 3 to Week 8, the frequency was a little
lower, probably because the course projects were a little
I like the visual and auditory easier at the start, and students needed less support from the
combined information like website with face-to-face teaching ready in the classroom.
4. 12 41
graphics, animation, video, etc.
During Week 9 and 10, students have highest frequency of
combined with sound/music.
access to the course website, it is because the students
From Table 1, we can see that the students’ media related encountered with more challenging issues to solve and
learning styles preference focuses on Choice 1, visual needed more online resources to help, as observed. From
information, and Choice 2, visual and auditory combined week 10 to the last week, the students’ access frequency
information. The auditory only information (Choice 2) and drops gradually with the probable reason that they gradually
the text only information (Choice 3) are not preferred. Since became more familiar with the course content and depended
Internet information is rich with graphics and sound, less on the course online resources. And also they might
providing multimedia rich resources for learners is preferred start being busy preparing for the final exam. The weekly
in the Internet assisted learning environment. average frequency is 87. Definitely we saw that some of the
students were tech-savvy, they learned more independently,
Table 2: Students’ Responses to their relying less on the course online resources or facilitation.
Preference of the Sources of information Table 3 shows the factors that positively influence the
students to access the online learning resources. Item
Question: When searching Number 1 to Item Number 8 relates to the resource content
# Internet learning resources, I N % that motivated students to use the online learning resources
like to use__
for tasks. Item Number 9 to Item Number 13 relates to the
needs and
1. Resources from our course
4 14
website.
Table 3: Factors that Positively Influence the
2. Resources from other Learners’ Access to Online Learning Resources
5 17 # Question Mean SD
websites
1. The online learning resources are
0.5
3. Resources from both of the information-rich, multimedia driven, 1.41
20 69 0
above websites. interesting, and engaging.
In Table 2, it is shown that students prefer resources from 2. The online course info like syllabus,
0.5
both the course website and general websites. That means course rules/requirements are 1.52
1
important to me.
that students liked a broadened vision of the learning
3. The online content/knowledge 0.5
resources instead of a narrow focus on what one source of 1.45
resources are important to me. 1
websites could provides. 4. The problem solving support
0.5
resources like tutorials/help are 1.48
Figure 2. The Frequency of the Student Access of 7
necessary to me.
the Course Website for Learning Resources 6. The communication tools/resources 0.7
1.59
are useful and comfortable to me. 3
7. The online collaborative/team work 0.5
1.55
support resources are helpful to me. 7
8. The online ongoing information like
0.5
modules, discussion, Bulletin Board 1.41
0
news are important to me.
9. I access online learning resources
0.4
when I have to learn new skills and 1.31
7
knowledge.
10. I access online learning resources 0.5
1.48
when I prepare for the class. 1
11. I access online learning resources 0.5
1.31
when I encounter problems. 4
12. The effectiveness of the online
0.7
learning resources motivates me to 1.55
4
Figure 2 shows the students’ frequency of accessing the FED use more of them.
13. My own increased experience
529 course website to retrieve the online learning resources 0.4
motivates me to use more of the 1.21
(not including the students’ access to other websites). The 1
online learning resources.
frequency is tallied in the Blackboard Course Management 14. The teacher’s use of online resources 0.5
System. In Fig. 2, during Week 1 and 2, students had a little 1.38
influences me to use them. 6
higher frequency of accessing online learning resources, 15. The peer’s use of online learning 0.6
because they wanted to get familiar with the new course 1.59
resources influences me to use them. 8
network environment like introduction to the course, rules, N = 29, Strongly Agree = 1, Strongly Disagree = 5
44 (IJCNS) International Journal of Computer and Network Security,
reasons why students like to use the online learning
resources. Item Number 14 to Item Number 15 relates to
how social effect influenced the students to use the online
learning resources. Since the survey value of Strongly Agree
is 1, and Strongly Disagree is 5, the lower the values, the
more positive it is. It reveals that most of the students think
that they access online learning resources voluntarily based
on their learning needs and interests to the resource content,
subject matter, or out of social influence.
Table 4 shows the factors that might negatively affect the
students’ access to the online learning resources. The
response sequence range from 1 to 5 represents the students’
preference mean value sequence from the lowest to the
highest on those questions. The data in this table verify
students’ use of the online learning resources from another
angle. The students’ responses to the five questions indicate
that those factors negatively affecting students’ use of online
learning resources did not produce a big consequence on the
learners,
Table 4: Factors that Negatively Affect the
Learners’ Access to Online Learning Resources
# Question Mean SD
1. If I can do without finding
information and support from 2.3 1.0
Internet, I don’t want to spend time 8 8
searching Internet resources.
2. If I had a hard time to locate the
expected resource online, I drop using 2.8 1.3
it. 6 6
3. I drop searching online learning
resources because I feel intimidated 3.5 1.3
and frustrated to use Internet. 5 5
4. I don’t really search for Internet
resources because I am not skillful 4.0 1.0
enough and not familiar with online
7 3
learning resources.
5. I don’t really use online learning
resources because I don’t have an
4.1 1.0
easy access to facilities like
7 7
computers, laptops, a computer lab
and Internet connection.
N = 29, Strongly Agree = 1, Strongly Disagree = 5
but their information skills should be increased to minimize
the negative influence and to increase their confidence in
accessing online learning resources, since the use of online
learning resources is a voluntary and self motivation-based
learning behavior.
3. Discussion and Conclusion
The findings show that factors that influence the learners’
use of online learning resources include several variables. It
indicates that the multimedia variety of the resources is an
important factor in motivating students to use online
learning resources. The content of the course website
resources are favored by the students because they are
targeted to the course content and activities, and are the
instant help to them. Both the course website resources and
the general Internet learning resources are preferred by the
Vol. 2, No. 9, September 2010
learners because more sources of resources provide more
varieties of information and tools that broaden students’
vision and inspire creativity. The convenient web design and
the social influence are also impacting factors to the learners
in using online learning resources. Finally, the personal
experience of the information skill is also important. The
more experience the students have to use online learning
resources, the more willing the students are to use them.
The factors that negatively affect the learners’ use of the
online learning resources include the event in which
learners could finish the projects/assignments without using
online learning resources. They choose not bothering to
search if they don’t have to. The next is the factor that the
personal frustration and limited skills in using online
learning resources impede them from using online learning
resources. The last factor is the least recognized but is
practical---having limited access to the facilities/computers
to access online learning resources. Currently, computers
and Internet access facilities are much cheaper than before,
that is why it is considered as the least influential factor to
affect the learners’ access to the online learning resources,
even though it cannot be assumed that all students have
these available.
To understand learners is necessary for the teacher to teach
effectively. Understanding the factors that influence
learners’ access to use online learning resources is beneficial
for the teachers to design and prepare the effective
instruction and learning materials for learners with Internet
technology. Students are not passive “receptacles” of
information. Knowledge emerges only from situations in
which learners draw it out of meaningful activities. The
design of effective learning resources must be combined
with the content targeted learning activities which drive
students in active thinking and creative doing, which then
turns into active exploring on the Information Net. To
motivate more students’ use of the online learning
resources, the following strategies are suggested:
1. Teach the students about the information skills to use
the available course online resources and resources
from other websites.
2. Design user-friendly course web interface for students
to surf on an easy-to-use resource website.
3. Design and frequently update the course online
learning resources that are anchored at the course
content and activities. The strong relation to the
learning content and goal is a motivation to students in
using online learning resources.
4. Combine the use of the online learning resources with
the learning activities like searching information for
problem-solving, critical thinking, and creativity.
5. Provide facilitations or scaffolding online to alleviate
students’ frustration in learning. The just-in-time help
at a click will convince students about a trustful and
reliable resource for their academic growth.
After this study, we expect further research that could
explore the learners’ psychological behavior in using online
learning resources and their correlation with various
variables.
 (IJCNS) International Journal of Computer and Network Security, 45
Acknowledgement: This project is funded by the Title III
Mini Research Grant. Great thanks to the Title III Office in
the Alabama A&M University for their support to this
project.
Reference:
[1] G.J. Brooks, G.M. Brooks, In Search of Understanding:
The Case for Constructivist Classrooms. Association
for Supervision and Curriculum Development,
Alexandria, VA, 1993.
[2] J. Bruner, Going Beyond the Information, Norton,
Given. New York, 1973.
[3] J.P. Byrnes, Cognitive Development and Learning in
Instructional Contexts. Allyn and Bacon, Boston,
1996.
[4] A.W. Chickering, Z.F. Gamson, Seven principles for
good practice in undergraduate education, AAHE
Bulletin, 39(7), 3-6, 1987.
[5] C. Crook, Deferring to Resources: Collaborations
around Traditional vs. Computer-based Notes, Journal
of Computer-Assisted Learning, 18, 64-76, 2002.
[6] J. Dewey, Experience and Education. Macmillan, New
York, 1938.
[7] J. Dewey, Democracy and Education, Free Press, New
York, 1966.
[8] P. Eggen, D. Kauchak, Educational psychology:
Classroom connections, (2nd Ed.), Macmillan
Publishing Company, New York, 1994.
[9] G. Gibbs, N. Pollard, J. Farrell, Institutional Support
for Resource Based Learning, Oxford Centre for Staff
Development, Oxford, 1994.
[10] J.E. Groccia, The college success book: A whole-
student approach to academic excellence. Glenbridge
Publishing Ltd , Lakewood, CO, p. 62, 1992.
[11] J.R. Hill, M.J. Hannafin, The resurgence of resource-
based learning. Educational Technology, Research and
Development, 49(3), 37-52, 2001.
[12] A. Hirumi, A Framework for Analyzing, Designing,
and Sequencing Planned eLearning Interactions,
Quarterly Review of Distance Education, 3(2), 141-
160, 2002.
[13] M.G. Moore, Three types of interaction. The American
Journal of Distance Education, 3(2), 1-6, 1989.
[14] B. Muirhead, Enhancing social interaction in
computer-mediated distance education, USDLA
Journal, 15(4), 2001.
[15] P.T. Northrup, A Framework for Designing
Interactivity into Web-Based Instruction, Educational
Technology, 41(2), 31-39, 2001.
[16] J. Piaget, The Psychology of Intelligence, Routledge,
New York, 1950.
[17] M. Pressley, C.B. McCormick, Advanced educational
psychology: for educators, researchers, and
policymakers. Harper Collins college Publisher, New
York, 1995.
[18] S. Li, D. Liu, The Online Top-Down Modeling Model,
Quarterly Review of Distance Education, 6(4), 343-
359, 2005.
[19] G.T. Sciuto, Setting students up for success: The
instructor’s role in creating a positive, asynchronous,
Vol. 2, No. 9, September 2010
distance education experience. Virtual University
Gazette. January 2, 2004. Available:
http://www.geteducated.com/vug/aug02/vug0802.htm
[20] N. Shin, Beyond interaction: The relational construct
of 'Transactional Presence'. Open Learning, 17, 121-
137, 2002.
[21] P. L. Smith, C.L. Dillon, Comparing distance learning
and classroom learning: Conceptual considerations.
American Journal of Distance Education, 13(2), 6-23,
1999.
[22] V.A. Thurmond, Examination of interaction variables
as predictors of students' satisfaction and willingness
to enroll in future Web-based courses while controlling
for student characteristics. Unpublished Dissertation,
University of Kansas, Parkland, FL, p. 4, 2003.
[23] L.S. Vygotsky, Mind in society, the development of
higher psychological processes. Harvard University
Press, Cambridge, Ma, p. 86, 1978.
[24] E.D. Wagner, In support of a functional definition of
interaction. The American Journal of Distance
Education, 8(2), 6-26, 1994.
[25] G. Zafeiriou, J.M. Nunes, N. Ford, Using students'
perceptions of participation in collaborative learning
activities in the design of online learning
environments. Education for Information, 19, 83-106,
2001.
[27] H. Chen, Interaction In distance education. January 4,
2004. Available:
http://seamonkey.ed.asu.eduac/disted/week2/7focushc.
html
[28] M.W. Crawford, Students' perceptions of the
interpersonal communication courses offered through
distance education, unpublished doctoral dissertation,
Ohio University, 1999. UMI Dissertation Services,
(UMI No. 9929303).
[29] B. Holmberg, Growth and Structure of Distance
Education. Croon Helm, London, 1986.
[30] P. R. Pintrich, V. De-Groot, Motivational and self-
regulated learning components of classroom academic
performance. Journal of Educational Psychology,
82(1), 33-40, 1990.
Author Profile
Sha Li received the doctoral degree in educational technology from
the Oklahoma State University in 2001. He is an Associate
Professor in the Alabama A&M University. His research interests
are in E-learning in the networked environment, distance
education, multimedia production, and instructional design with
technology. He is also an instructional design facilitator for the
local public school systems.
Shirley King received the Ed. D. degree in Special Education from
the University of Alabama. She is an Associate Professor in the
Alabama A&M University. Her research interests are in special
education, elementary education, and multicultural education. She
is the Program Coordinator of a USAID Textbooks and Learning
Materials Project serving Ethiopia.
Yujian Fu received the Ph. D. degree of Computer Science from
the Florida International University. She is an Assistant Professor
in the Alabama A&M University. Her research interests are in
software verification, software quality assurance, runtime
verification, and formal methods.
46 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Video Streamed Acces and Use Control Using

Digital Rights Management
Morad Rafi1 and Mohsine Eleuldj2
Mohammed V University, Mohammedia School of Engineers (EMI),
Telecom & Computer Departements
Avenue Ibn sina, B.P. 765 Agdal Rabat Maroc
Tel: (212-537) 77.26.47
1
rafimourad@gmail.com, 2eleuldj@emi.ac.ma

signals which it then converts (encodes) into a series of IP

Abstract: Digital Rights Management (DRM) is collection of
technologies which protect the copy right holder’s revenue by
protecting their digital works, based on a secure architecture
against any illegal use. The challenge of DRM is to control, in
real time, the access and use of these digital contents over a
communication channel. In this paper we will use DRM
technologies to control access and use of streamed videos in the
case of a bandwidth-limited network. This contribution makes it
suitable to enable real time DRM in multimedia systems.
Keywords: DRM, Network, Real time, Video Streaming,
Control.
1. Introduction and Motivation
One of the fastest growing and most profiting sectors
of today’s economy is information industry. Its success
has in short time brought new opportunities to do
business with digital information products. New
technologies like telecommunications, Internet, etc… is now
enabling a new business models --- e-Commerce. On the
market of digital content, this results in information
prosperity and provides new distribution channels, lower
costs and fewer barriers.
The development of the broadband network allows the
exchange, the download and the diffusion through the Peer
to Peer networks, and perfect numerical reproduction of a
digital content.
Moreover, the use of technologies which are at the
same time sophisticated and simple to handle as well as
the provision of a powerful reading equipment of digital
contents facilitate the task to circumvent technical
protection measure of digital contents.
Now industry is demanding urgently an efficient mechanism
for e-Content protection. Thus DRM systems [1][2][3] were
designed and implemented to take up the challenge to
protect the copyright holder’s revenue by protecting their
works against illegal use based in secure architecture[4][5].
These systems authorize only controlled rights associated
with digital contents.
Traditional analog video is sent as a continuous stream of
electrical signals over a cable from the source (camera) to
the destination such as a video monitor. Digital technology
and IP has changed that. With this new type of video, a
digital camera translates the viewed image into digital
packets that can be sent out over an IP-based network as a
data stream. The IP network may be a local area network, a
company wide area network, or even the public internet. At
the destination, the receiver re-assembles these packets back
into the original video stream. The reconstructed video can
then be viewed, stored, searched, replayed, or retransmitted.
Unlike other types of data, video requires large amounts of
bandwidth, as well as highly reliable, predictable delivery
mechanisms. Unfortunately, IP was not designed to provide
this guaranteed quality of service (QoS) to the different
types of traffic it carries and frequently one or more packets
may be dropped during transmission. For applications such
as video, packet re-transmission is a poor option since the
missing packets are required to accurately reproduce the
video image. Unmanaged, these factors cause latency, which
result in poor quality or even unusable video at the receiving
end.
In this context, the use of Digital Rights Management
(DRM) [6][7] to control the access and use of streamed
video can degrade the quality of the broadcast (stream) of
any digital contents through internet or telecommunication
network.
In order to study the use impact of DRM technology, we will
use MATLAB/Simulink to simulate real time DRM control
streaming video over a bandwidth-limited communication
channel.
It is necessary to specify rules stating the use conditions of
the digital contents. These rules are often expressed in the
form of a license which is a kind of contract between a
supplier of a digital content and a consumer. A language to
express licenses is needed. The Rights Expression Language
(REL) chosen was the standardized MPEG-21 REL [8][9]
witch is simple and sufficiently expressive in order to meet
the requirements of the streaming videos over networks.
The reminder of this paper is organized as follow: In section
2 we present our main contribution which consists of
introducing DRM technologies to control user rights for a
streamed video in real time. Then Experimental results are
presented. The paper concludes in section III.
 (IJCNS) International Journal of Computer and Network Security, 47
2. Main Contributions and Experimentation
3.6 Studied Model
The Figure1 illustrates the video streaming scenario studied
which consists of 3 parts: A video streaming source server
(Blue block, Fig.2), video end user (Brown block, Fig.2) and
a bandwidth-limited communication network (Green block,
Fig.2). The implementation of DRM access control can be
done either in the server side or in the end user side.
Video End
Video Source User
Server
Bandwith -limited
communication channel
Figure 1. Video streaming over networks scenario studied
The Model (Fig.2) presents the studied scenario to
implement DRM control which is simulated using
MATLAB/Simulink. It illustrates a communication system
that sends frames of video data over a channel. By dropping
frames that wait too long to reach the end user, the model
also illustrates how to use timeouts to implement point-to-
point timing constraints. The video file used for the
simulation is vipmen.avi (120*160, 30fps).
Figure 2. Video streaming Over Bandwidth-limited
Communication Channel
3.7 Introduction of DRM technologies
In order to implement DRM to control the use of the video
in real time we have chosen the standardized MPEG 21
Rights Expression Language to express the licenses [11].
These licenses, XML based, contain the rights that a user
has and will be evaluated during DRM process. The license
can be located in the source server side or in the end user
side.
Vol. 2, No. 9, September 2010
The DRM process is as follow:
1-The User request a play right for the video streamed.
2-The DRM block parse the license XML based with a
parser
3-The DRM block evaluate the license according to the user
request
4-If the play right exist then the user can play the video
5-If the play right doesn’t exit then a message will be played
informing the user that he/she is not authorized to play the
video.
The MPEG-21REL Embedded MATLAB Function Block is
inserted to the studied model to control user rights for the
video streamed.
We have two possibilities to implement the control: a)-In the
video streaming server side or b)-in the end user video
player side.
a)-In the video streaming server side:
In the video source block (Fig.3), the embedded function is
inserted to control the user rights before the video can be
streamed in the case of a video on demand or IPTV [12].
The Red elements illustrate the added DRM controls:
Figure 3. Video Source block with DRM components
inserted to control user rights for the streamed video.
b)-in the end user video player side:
In the end user video block (Fig.4), the MPEG-21 REL
Embedded MATLAB function can be inserted to control the
user rights for the video before to be played. The Red
elements illustrate the added DRM controls:
Figure 4. Video End User block with DRM components
inserted to control user rights for the streamed video.
48
The added DRM controls components are:
1- The Embedded MATLAB function block (Fig.5)
that we call “MPEG-21 REL” which consists of
controlling the video user rights by parsing the
XML license file
Figure 5. MPEG 21 REL Embedded MATLAB Function
After parsing the XML license file and evaluating the user
rights, if the user is not authorized to view the video the
constant K will be equal to “0” (Fig.10b):
Y1= U1
Y2= K*U2 , K =0 in order to transmit the video
Y3= U3 without the green colour to deliver
Y4= 0 a bad quality of video.
Y5= 0
Y6= 0
Yi: The R,G,B output variables
Uj,: The R,G,B input variables
i=1,2,3,4,5,6.
J=1,2,3.
After parsing the XML license file and evaluating the user
rights, if the user is authorized to view the video (Fig.10a):
Y1= 0
Y2= 0
Y3= 0
Y4= U1
Y5= U2
Y6= U3
2- The MATLAB Insert Text block which consists of
watermarking the streamed video by inserting a
text informing the user that he/she is not
authorized to play the video. The video viewed by
the user is a bad quality of the original video.
Figure 6. Insert Text MATLAB block
3- The MATLAB Add element which consists of
adding the outputs signals.
Figure 7. Add MATLAB block
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
3.8 Simulation and Experimentation
2.3.1 Without DRM Control
When we run the simulation without DRM components
(Fig.8), we have the Scopes that plot the following
quantities to evaluate performance:
-uThe size of the “input buffer” shows how many frames
are waiting in the channel. Frames accumulate in the input
buffer until they either progress through the channel or time
out.
-vThe size of the “reception buffer” shows how many
frames are waiting in the receiver. Before T=10, frames
accumulate in the reception buffer because the block labelled
Flow Control keeps the path closed between the receiver's
buffer and the video viewer.
-wThe status of “underflow” events in the receiver has a
value of 1 whenever the Release Gate block permits a frame
to advance from the reception buffer to the video viewer, but
no frame is present.
-xThe “communication delay per frame” shows how
long the channel delays each frame that has advanced
beyond the input buffer. In this model, the delay is periodic.
-yThe “number of timed-out entities” shows how many
frames have timed out in the channel. The end user does not
receive these frames and can observe a gap in the video if
many consecutive frames time out.
u v w
x y
Figure 8. Simulation results without introducing DRM
controls
2.3.2 With DRM Control
The simulation using DRM control gives the same video
performance as the original model without using DRM
control for the case of authorized user (Fig.8, Fig.10a) or for
the non-authorized user (Fig.9, Fig.10b). This shows that
our implementation of the DRM control don’t affect the
network performance and the quality of the streamed video.
 (IJCNS) International Journal of Computer and Network Security, 49
Vol. 2, No. 9, September 2010

have find “XMLTree” [13] which is an XML parser toolbox

that can be added to the set path of MATLAB. The XML
Parser is an XML 1.0 parser written in MATLAB. It aims to
be fully conforming. This XML Parser is embedded in a
MATLAB class (@xmltree) including powerful methods to
import, export, access and modify the data. Xpath[14] is
used for addressing parts of the XML document. This
program is free software, distributed under a GPL License.

Figure 9. Simulation results using DRM control.
3. Conclusion
In this paper we have used DRM technologies to control
access and use of real time streamed videos in the case of a
bandwidth-limited network.
The video quality and network performance was not affected
by DRM processing. This makes it suitable to enable real
time DRM e-commerce. Further research is under way to
convert the program into VHDL to be tested on FPGA since
the MATLAB software support the conversion operation to
VHDL if all the components or programs are synthesizable
like the parser used. In order to secure licenses to be
tampered with we can convert them to binary format. Also
more complex licenses will be studied in order to deal with
complex business model and the XML licenses time parsing.

4. References
a) Output video for authorized user b) Output video for non authorized user

Figure 10. Comparison of the output videos

[1] O. Patkanen, M. Valimaki, “Towards a Framework for
Digital Rights Management”, hiit.fi, [Online].
The MPEG 21 REL license file Alice.xml used for the Available:
simulation is as follow: Alice has the right to play the video www.hiit.fi/~opp/pub/drm_framework_iec2000.pdf.
18 times. [Accessed: Sept. 15, 2010].
[2] P. Herwann, “Rapport DRM DESS,”, Université
<?xml version="1.0"?> René Descartes, Paris, France, 2004.
<license> [3] P. Chantepie. M. Herubel, F. Tarrier, “Mesures
<!-- This is the first entryofour Address Book--> Techniques de Protection des œuvres & DRMS-1ère
<grant lastModified="04-Jun-2009"> Partie : Un état des lieux,” Rapport Inspection générale
<keyHolder> de l'administration des affaires culturelles, Paris,
Alice
France, 2003.
</keyHolder>
<mx:play/>
[4] M. Rafi, M. Eleuldj, “Digital Rights Management,” In
<digitalResource> Proceedings of the La conférence Internationale sur les
<nonSecureIndirect URI="urn:video.world/999999/video/vpimen.avi"> Nouvelles Technologies de la Répartition (NOTERE),
</nonSecureIndirect> 2007.
</digitalResource> [5] M. Rafi, M. Eleuldj, Z. Guennoun,“ Digital rights
<allConditions> management adaptable architecture,” In Proceedings of
<exerciseLimit> the 3rd IEEE International Conference on Information
<count> & Communication Technologies: from Theory to
18 Applications (ICTTA), 2008.
</count>
[6] M. Rafi, M. Eleuldj, “Les jetons dans les DRM,” In
</exerciseLimit>
</allConditions> Proceedings of the Les 2ème JOurnées Scientifiques en
</grant> Technologies de l'Information et de la Communication
</license> (JOSTIC), 2008.
[7] M. Rafi, M. Eleuldj, O.Diouri, “ Digital rights
management-A developpement of a media player,”
In Proceedings of the Scientific Research Outlook &
Constraint of Simulation Technology Development in the Arab World’08-SRO5,
MATLAB don’t have a toolbox that can be used to parse ICT Conference, 2008.
XML files. We have had to find a parser compatible with [8] M. Rafi, M. Eleuldj, Z. Guennoun, “Improvement of
MATLAB to perform the simulation. After hard search, we MPEG-21 Rights Expression Language,” In
Proceedings of the 7th ACS/IEEE International
50 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Conference on Computer Systems and Applications

(AICCSA), 2009.
[9] “Moving Picture Expert Group. ISO/IEC JTC/SC29
WG11”, chiariglione.org, [Online]. Available:
http://www.chiariglione.org/mpeg/index.htm.
[Accessed: Sept. 15, 2010].
[10] “MATLAB Software”, mathworks.com, [Online].
Available: http://www.mathworks.com. [Accessed:
Sept. 15, 2010].
[11] “MPEG 21 REL”, chiariglione.org, [Online].
Available:
http://www.chiariglione.org/mpeg/technologies/mp21-
rel/index.htm. [Accessed: Sept. 15, 2010].
[12] “IPTV (Internet Protocol Television)”, wikipedia.org,
[Online]. Available:
http://en.wikipedia.org/wiki/IPTV. [Accessed: Sept.
15, 2010].
[13] “XMLTREE:XML toolbox for MATLAB”, artefact.tk,
[Online]. Available:
www.artefact.tk/software/matlab/xml. [Accessed: Sept.
15, 2010].
[14] “XML Path Language (XPath)”, w3.org, [Online].
Available: http://www.w3.org/TR/xpath. [Accessed:
Sept. 15, 2010].
 (IJCNS) International Journal of Computer and Network Security, 51
Vol. 2, No. 9, September 2010

Generating the New S-box and Analyzing the

Diffusion Strength to Improve the Security of AES
Algorithm
Mohan H. S.1 and A Raji Reddy2
1
Research Scholar, Dr MGR University, Chennai. India
mohan_kit@yahoo.com
2
Professor, Department of Electronics and Communication
Madanapalle Institute of Technology & Science, Madanapalle. India
ar_reddy@yahoo.com

algorithm. A large or changing group of users cannot use

Abstract: Shared-key (symmetric) encryption is the most
fundamental cryptographic task. It is used in a large variety of
applications, including protection of the secrecy of login
passwords, ATM, e-mail messages, video transmissions, wireless
systems and internet-distributed digital content. Several
encryption algorithms are available for deploying into these
applications. The earlier standard for shared key encryption was
the DES cipher, which was developed by in the early 70’s. Later
RIJNDAEL was proposed and was selected as the Advanced
Encryption Standard (AES). The main objective of this paper is
to analyze RIJNDAEL algorithm, a Shared-key (symmetric)
block cipher supporting 128-bit blocks and 128-bit key size and
to develop a new S-box. Design of block ciphers requires
implementation of high speed algorithms with less number of
rounds. The number of rounds in a block cipher is decided
based upon the resistivity levels against the known attacks. The
very first level of attack on an encryption algorithm is to search
for repetitive cipher values and relate them to plaintext. This
attack can be made ineffective if an algorithm is designed to
comply with Strict Avalanche Criteria (SAC). In this paper,
diffusion analysis based upon First order SAC and higher order
SAC is carried out for RIJNDAEL algorithm and suggesting a
new S-box generation. The results provide good insight into
RIJNDAEL strength by using the diffusion behavior and useful
in the design of new strong encryption algorithm.
Keywords: Diffusion analysis, Strict Avalanche Criteria, First
order SAC, higher order SAC.
1. Introduction
Cryptography allows people to send and receive information
over the communication channel thus allowing them to do
business electronically, without worries of deception. The
perpetual increase of information transmitted electronically
has led to an increased reliance on cryptography.
Cryptography is important to the continual growth of
Internet and E-commerce.
Various cryptographic tools are used to provide
information security. These tools are to be evaluated with
respect to various criteria for (1) Level of security (2)
Functionality (3) modes of operation (4) Performance and
(5) ease of implementation.
A cryptographic algorithm or a cipher is the
mathematical function used for encryption and decryption.
If the security of an algorithm is based up on the way that
algorithm works as a secret then it is known as restricted
them, because every time a user leaves the group, everyone
else must change the algorithm. Even more, restricted
algorithms allow no quality control or standardization. But
these are enormously popular for low security applications.
Modern cryptography solves this problem with a key,
denoted by k. Both the encryption and decryption operations
use this key. So the encryption and decryption functions now
become Ek (M) =C for encryption Ek→Encryption using key
k, M→ message Dk (C) =M for decryption Dk →Decryption
using key k, C→ cipher text.
1.1 Symmetric Algorithms
There are two general types of key based algorithms:
Symmetric and Public Key. In Symmetric algorithms
encryption key can be same as the decryption key and vice
versa. These are also called as secret key algorithms.
Symmetric algorithms can be divided into two categories: i)
some operate on the plaintext a single bit at a time which
are called Stream ciphers, and ii) others operate on the
plaintext in groups of bits, such groups of bits are called
blocks and such algorithms are called Block ciphers.
1.2 Stream Ciphers and Block Ciphers
Stream ciphers are generally faster than block ciphers in
hardware, and have less complex hardware circuitry. Stream
ciphers are more suitable for situations where transmission
errors are highly probable.
Symmetric key block ciphers are the most prominent and
important elements in many cryptographic systems.
Individually, they provide confidentiality. The examples of
block ciphers are DES, 3-DES, FEAL, SAFER, RC5 and
AES. The implementation of any basic block cipher is
generally known as Electronic Code Book (ECB) mode. In
order to increase the security further additional modes are
also defined. They are (1) Cipher Feed Back (CFB) mode
(2) Output Feed Back (OFB) mode (3) Counter mode
(CTR). The counter mode has become popular in IPSec and
IPv6 applications.
1.3 Cryptanalysis
There are two general approaches for attacking a
conventional encryption algorithm:
Cryptanalysis: This is used for deciphering a message
without any knowledge of the enciphering details.
52
Cryptanalysis is the science of recovering the plaintext of a
message without the access to the key. Successful
cryptanalysis may recover the plaintext or the key. It also
finds weakness in the cryptosystem.
Brute – Force attack: The attack tries every possible key
on a piece of cipher text until an intelligible translation into
plain text is obtained. This is tedious and may not be
feasible if key length is relatively long.
1.4 Confusion and Diffusion
These are the two important techniques for building any
cryptographic system. Claude Shannon introduced the terms
Confusion and Diffusion. According to Shannon, in an ideal
cipher, “all statistics of the cipher text are independent of
the particular key used”. In Diffusion, each plaintext digit
affects many cipher text digits, which is equivalent to saying
that each cipher text digit is affected by many plain text
digits.
All encryption algorithms will make use of diffusion and
confusion layers. Diffusion layer is based upon simple linear
operations such as multi-permutations, key additions,
multiplication with known constants etc. On the other hand,
confusion layer is based upon complex and linear operations
such as Substitution Box (S-box).
2. Related Work
2.1 Evaluation of Advanced Encryption Standard
The principal drawback of 3DES is that the algorithm is
relatively sluggish in software. The original DES is
designed for mid 1970’s hardware implementation and does
not produce efficient software code. Since 3DES has three
times as many rounds as DES, it is relatively slower. A
secondary drawback is that both DES and 3DES use a 64-bit
block size. For reasons of both efficiency and security a
larger block size is desirable.
Because of the drawbacks, NIST in 1997 issued a call for
proposals for a new Advanced Encryption Standard (AES),
which should have security strength equal to or better than
3DES and significantly, improved efficiency. In addition,
NIST specifies that AES must be a symmetric block cipher
with a block length of 128 bits and support for key lengths
of 128,192 and 256 bits.
In first round 15 proposals were submitted and in second
round 5 algorithms were selected. NIST completed its
evaluation in November 2001 and selected Rijndael for AES
are both cryptographers from Belgium: Dr. Joan Daemen
and Dr. Vincent Rijmen. This standard specifies the
Rijndael algorithm ([3] and [4]), a symmetric block cipher
that can process data blocks of 128 bits, using cipher keys
with lengths of 128, 192, and 256 bits. Rijndael was
designed to handle additional block sizes and key lengths;
however they are not adopted in this standard. Throughout
the remainder of this standard, the algorithm specified
herein will be referred to as “the AES algorithm.” The
algorithm may be used with the three different key lengths
indicated above, and therefore these different “flavors” may
be referred to as “AES-128”, “AES-192”, and “AES-256”.
2.2 S-Box Design
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
One of the most intense areas of research in the field of
symmetric block ciphers is that of S-box design. The
characteristic of the S-box is its size. An n x m S-box has n
input bits and m output bits. Larger S-boxes, by and large,
are more resistant to differential and linear cryptanalysis.
However, large dimension n leads to larger lookup table.
The size of lookup table decides the size of the program
memory. Therefore, the small S-box is required for the
hardware with less program memory and large S-box can be
used with hardware having more program memory. For
example, AES uses 16 x 16 S-box. This is implemented in a
suite of hardware platforms: 8051 based microcontrollers,
PIC processor, ARM processors, FPGA based processors,
ASIC, etc. It is possible to implement 256 x 256 S-box in
high end processors.
Another practical consideration is that the larger the S-box,
the more difficult it is to design it properly. S-box is
required for both encryption and decryption. An n x m S-box
typically consists of 2n rows of m bits each. The n bits of
input select one of the rows of the S-box, and the m bits in
that row are the output. For example, in an 8 x 32 S-box, if
the input is 00001001, the output consists of the 32 bits in
row 9 (the first row is labeled row 0).
2.3 Key Schedule Algorithm
A final area of block cipher design is the key schedule
algorithm. A block cipher requires one sub-key for each
round of operation. The sub-key is generated from the input
master key. Generation of sub-key requires an algorithm.
This algorithm should ensure that not sub-key is repeated.
In general, we select subkeys to maximize the difficulty of
deducing individual subkeys and the difficulty of working
back to the main key.
2.4 Avalanche criteria:
There are two different types of strict avalanche criteria: i)
First order SAC: It is a change in output bit when a single
input bit is flipped and ii) Higher order SAC: It is a change
in output bit when many input bits are flipped.
3. Statement of the Problem
AES is a symmetric block cipher which encrypts/decrypts
one block of data a time. AES has an iterative structure
consisting of a repetition of a round, which is applied to the
data block to be encrypted for a fixed number of times. The
mandatory feature required for any block cipher is good
diffusion. The problem statement is given below:
i. To implement the encryption and decryption of the
algorithm.
ii. To increase the Diffusion power of the AES algorithm.
iii. To suggest a new S-box to the AES algorithm to
increase the confusion.
4. Algorithm Specification
For the AES algorithm, the length of the input block, the
output block and the State is 128 bits. This is represented by
 (IJCNS) International Journal of Computer and Network Security, 53
Nb = 4 which reflects the number of 32-bit words (number
of columns) in the State.
For the AES algorithm, the length of the Cipher Key, K,
is 128, 192, or 256 bits. The key length is represented by Nk
= 4, 6, or 8, which reflects the number of 32-bit words
(number of columns) in the Cipher Key. For the AES
algorithm, the number of rounds to be performed during the
execution of the algorithm is dependent on the key size. The
number of rounds is represented by Nr, where Nr = 10 when
Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8.
The only Key-Block-Round combinations that conform
are shown below.
Figure 1. Key-Block-Round Combinations.
For both its Cipher and Inverse Cipher, the AES
algorithm uses a round function that is composed of four
different byte-oriented transformations: 1) byte substitution
using a substitution table (S-box), 2) shifting rows of the
State array by different offsets, 3) mixing the data within
each column of the State array, and 4) adding a Round Key
to the State.
4.1 The State
Internally, the AES algorithm’s operations are performed on
a two-dimensional array of bytes called the State. The State
consists of four rows of bytes, each containing Nb bytes,
where Nb is the block length divided by 32. In the State
array denoted by the symbol s, each individual byte has two
indices, with its row number r in the range 0 £ r < 4 and its
column number c in the range 0 £ c < Nb. This allows an
individual byte of the State to be referred to as either sr,c or
s[r,c]. For this standard, Nb=4, i.e., 0 £ c < 4.
At the start of the Cipher and Inverse Cipher, the input –
the array of bytes in0, in1 … in15 – is copied into the State
array as illustrated in Fig. 2. The Cipher or Inverse Cipher
operations are then conducted on this State array, after
which its final value is copied to the output – the array of
bytes out0, out1 … out15.
Figure 2. State array input and output.
Vol. 2, No. 9, September 2010
Hence, at the beginning of the Cipher or Inverse Cipher, the
input array, in, is copied to the State array according to the
scheme:
s[r, c] = in[r + 4c] for 0 ≤ r < 4 and 0 ≤ c < Nb
and at the end of the Cipher and Inverse Cipher, the State is
copied to the output array out as follows:
out[r + 4c] = s[r, c] for 0 ≤ r < 4 and 0 ≤ c < Nb.
4.2 The State as an Array of Columns
The four bytes in each column of the State array form 32-bit
words, where the row number r provides an index for the
four bytes within each word. The state can hence be
interpreted as a one-dimensional array of 32 bit words
(columns), w0...w3, where the column number c provides an
index into this array. Hence, for the example in Fig. 2, the
State can be considered as an array of four words, as
follows:
w0 = s0,0 s1,0 s2,0 s3,0 w2 = s0,2 s1,2 s2,2 s3,2
w1 = s0,1 s1,1 s2,1 s3,1 w3 = s0,3 s1,3 s2,3 s3,3
5. Diffusion Analysis
Diffusion analysis of any encryption algorithm enables to
estimate the strength of that algorithm. The strength of the
algorithm is related to how cipher values are sensitive to
input plain text changes. In other words, how many of
output cipher text bits undergo changes when a single bit of
input plain text is changed.
Hamming distance is a measure of Hamming weight of a
function derived from xoring two cipher text values.
Hamming distance indicates the Avalanche of encryption
algorithm. For well-diffused cipher values, higher avalanche
values are required. Therefore, it is imperative to define the
amount of avalanche is required for a given encryption
algorithm. Strict Avalanche Criterion (SAC) is defined to
indicate the required diffusion level. It is mandatory to every
encryption algorithm to satisfy the SAC in order to meet the
diffusion requirements.
In this paper, Avalanche values are measured for this
encryption algorithm for First order SAC and for Higher
Order SAC. The measured results are shown in later
sections.
Flipping one bit input plain text and keeping the key value
constant, avalanche values are measured for each round.
The measured result shows a definite pattern.
With respect to CASE (1) i.e. implementation of the first
order SAC, keeping the plaintext constant. Initially in the
first round it is low, the number of bits that differ are 22 and
the SAC value is 17. Then increases to a maximum, in the
7th round ,the number of bits that differ are 75 with a SAC
value 58 and decreases, finally after the 10 round, it ends
with the number of bits differ are 72 with a SAC value 56
which satisfies the desired Strict Avalanche Criteria.
Similarly the same holds for all the other cases which are
shown in the later sections. From the results, it is evident
that Avalanche values exceed the SAC value in the initial,
rounds, sometimes in the second round itself.
The AES encryption algorithm is designed based upon
the various criteria, and then the number of rounds in here
is adequate and robust, as it uses S-boxes as nonlinear
components. So far Rijndael has no known security attacks.
54 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Based upon the above considerations, we can conclude that

an encryption algorithm can be designed with less number
of rounds provided it does not show any weakness to
differential and linear attacks.

6. Alternate S-box
In a block cipher, S-box provides the confusion. S-box maps
the plain text to a cipher value using nonlinear operations.
Since plain text and cipher values are not related linearly, it
6.3 Proposed S-box
is difficult to construct plain text from a given cipher value.
This problem is generally known as “hard”. Some of the Here we are proposing that we can generate our own S-
block ciphers have used multiplicative inverse of a byte in boxes by choosing different constant value which is used in
the GF(28) field for constructing S-box. This S-box is the affine transformation in the construction of S-box.
constructed by filling the multiplicative inverse values. The
same S-box can be used for decryption thus providing 7. Experimental Results
involution. However, these are not as secure as that of an S-
AES algorithm is designed with a same three key size
box constructed using double transformation, i.e., separate
alternatives i.e. 128/192/256 but limits the block length to
S-box for each encryption and decryption. But involution S-
128 bits. The algorithm efficiently encrypts and decrypts the
box is extremely useful for involution cipher, where
plaintext and the result is tabulated. Also diffusion analysis
hardware is premium such as Smart card, etc. This is also
is used as a tool to measure the strength of the AES
used as a basic building block to construct an S-box using
algorithm. This is achieved by analyzing the diffusion that
double transformation.
exhibits a strong avalanche effect for the First order SAC
6.1 Design Criteria for S-Box and Higher order SAC taking the following cases.
Following are the design criteria for S-box, appearing in • Changing one bit at a time in a plaintext, keeping
order of importance: key as constant.
• Non – Linearity: • Changing one bit at a time in a key, keeping
(a) Correlation: The maximum input-output correlation plaintext as constant.
amplitude must be as small as possible. • Changing many bits at a time in a plaintext,
(b) Difference propagation probability: The maximum keeping key as constant.
difference propagation probability must be as small as • Changing many bits at a time in a key, keeping
possible. plaintext as constant.
• Algebraic Complexity: Each round avalanche value is tabulated for all the above
The algebraic expression of SRD in GF (28) has to be cases and proved that the Rijndael algorithm exhibit good
complex. Strict avalanche Criteria.
Also, generation of an alternate S-box is an attempt to
6.2 S-Box of AES secure the algorithm from any attacks and then using the
S-box is constructed in the following fashion: generated S-box for encryption and diffusion analysis, for
• Initialize the S-box with the byte values in ascending comparison.
sequence row by row contains {00},{01},{02},……..{0F}; The following are the results that have been achieved:
the second row contains {10},{11},etc.; and so on. Thus
the value of a byte at row x, column y is {xy}. 7.1 Encryption
• Map each byte in the S-box to its Multiplicative inverse in The length of the key is entered; accordingly the key and the
the finite field GF(28); the value {00} is mapped to itself. plaintext are to be entered in hexadecimal. Simultaneously
• Consider that each byte in the S-box consists of 8 bits the cipher text is generated.
labeled (b7,b6,b5,b4,b3,b2,b1,b0). Apply the following
transformation to each bit of each byte in the S-box:
b`i=bi b(i+4)mod 8 b(i+5)mod 8 b(i+6)mod 8 b(i+7)mod 8
b(i+8) mod 8 ci
Where ci is the ith bit of byte c with the value {63} i.e. (c7
c6 c5 c4 c3 c2 c1 c0) = (01100011). The prime (`) indicates that
the variable is to be updated by the value on the right.
The AES standard depicts this transformation in matrix
form as follows:

Figure 3. Shows the result of encryption using 128-bit

key length.
 (IJCNS) International Journal of Computer and Network Security, 55
Vol. 2, No. 9, September 2010

7.2 Decryption
The key has to be entered, which was previously entered for
encryption. As a result, the plain text entered during
encryption and the text after decrypting is generated.

Figure 7. Shows the results of Avalanche Effect for

Case (3).
CASE 4: Changing many bits at a time in a plaintext,
keeping key as constant.

Figure 4. Showing the result after decryption for 128 bit key
length.
7.3 Diffusion Analysis for First Order SAC
CASE 1: Changing one bit at a time in a key, keeping
plaintext as constant

Figure 8. Shows the results of Avalanche Effect for

Case (4).
7.5 With alternate S-box
The alternate S-box is generated, and the encryption and
diffusion analysis is carried out with new S-box.

Figure 5. Shows the results of Avalanche Effect for

Case (1).
CASE 2: Changing one bit at a time in a plaintext, keeping Figure 9. Shows the result of encryption using 128-bit key
key as constant. length.

Figure 10. showing the diffusion analysis, for first order

SAC of 128-bit key length.

Figure 6. Shows the results of Avalanche Effect for

Case (2).
7.4 Diffusion Analysis for Higher Order SAC
CASE 3: Changing many bits at a time in a key, keeping
plaintext as constant
8. Conclusions
The main aim of any encryption algorithm is to keep the
data secure from the intruders. The DES did not satisfy the
need for data security because of its short 56-bit key. Such
short keys can be broken by brute force attacks and so it was
proved insecure. So as a replacement, AES is proposed,
Rijndael was selected, which is more secure than the DES.
56 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Authors Profile
The basic design of an encryption algorithm is based upon Mohan H.S. received his Bachelor’s
the strength of diffusion and confusion. This dissertation degree in computer Science and
explored diffusion and confusion elements used in the AES Engineering from Malnad college of
to an extent. Based on the studies, following techniques are Engineering, Hassan during the year
developed as a security improvement, these are 1999 and M. Tech in computer Science
• Diffusion analysis, which is used as a tool to measure the and Engineering from Jawaharlal Nehru
strength of the algorithm. Therefore from the Experimental National College of Engineering, Shimoga during the year
results; it is proved that AES meets the Strict Avalanche 2004. Currently pursing his part time Ph.D degree in Dr.
Criteria which is mandatory to an encryption algorithm in MGR university ,Chennai. He is working as a professor in
order to meet the diffusion requirements. the Dept of Information Science and Engineering at SJB
• Suggesting an alternate S-box. Institute of Technology, Bangalore-60. He is having total 12
years of teaching experience. His area of interests are
9. Future Enhancements Networks Security, Image processing, Data Structures,
Computer Graphics, finite automata and formal languages,
• An alternate S-box for decryption can be developed.
Compiler Design. He has obtained a best teacher award for
• All encryption algorithms both symmetric and public key,
his teaching during the year 2008 at SJBIT Bangalore-60.
involve with arithmetic operations on integers with a finite
He has published and presented papers in journals,
field. Rijndael algorithm uses a irreducible polynomial
international and national level conferences.
m(x) = x8 +x4 +x3+x+1 = 0x11b (hex).
So, a new irreducible polynomial of degree 8 could be used.
A. Raji reddy received his M.Sc from
There are 30 irreducible polynomials of degree 8 are present
Osmania University and M.Tech in
Electrical and Electronics and
References communication Engineering from IIT,
[1] W Stallings, CRYPTOGRAPHY AND NETWORK Kharagpur during the year 1979 and his
SECURITY, Printice Hall, 2003. Ph.D degree from IIT, kharagpur during
[2] AES page available via the year 1986.He worked as a senior
http://www.nist.gov/CryptoToolkit.4 scientist in R&D of ITI Ltd, Bangalore for about 24 years.
[3] Computer Security Objects Register (CSOR): He is currently working as a professor and head in the
http://csrc.nist.gov/csor/. department of Electronics and Communication,
[4] J. Daemen and V. Rijmen, AES Proposal: Rijndael, Madanapalle Institute of Technology & Science.
AES Algorithm Submission, September 3, 1999. Madanapalle. His current research areas in Cryptography
[5] J. Daemen and V. Rijmen, The block cipher Rijndael, and its application to wireless systems and network security.
Smart Card research and Applications, LNCS 1820, He has published and presented papers in journals,
Springer-Verlag, pp. 288-296. international and national level conferences.
[6] B. Gladman’s AES related home page
http://fp.gladman.plus.com/cryptography_tetechnolo/.
[7] A. Lee, NIST Special Publication 800-21, Guideline for
Implementing Cryptography in the Federal
Government, National Institute of Standards and
Technology, November 1999.
[8] A. Menezes, P. van Oorschot, and S. Vanstone,
Handbook of Applied Cryptography, CRC Press, New
York, 1997, p. 81-83.
[9] J. Nechvatal, Report on the Development of the
Advanced Encryption Standard (AES), National
Institute of Standards and Technology, October 2, 2000.
[10] Mohan H.S and A. Raji Reddy. " Diffusion Analysis of
Mars Encryption Algorithm","International conference
on current trends of information technology,MERG-
2005”,Bhimavaram, Andhrapradesh.
[11] Mohan H.S and A. Raji Reddy. "An Effective Defense
Against Distributed Denial of Service in Grid”, "IEEE
International conference on integrated intelligent
computing ICIIC-2010.SJBIT, Bangalore-60. ISBN
978-0-7695-4152-5, PP. 84-89.
 (IJCNS) International Journal of Computer and Network Security, 57
Vol. 2, No. 9, September 2010

Knowledge Based Computing Using Semantic Web

for Grid Applications
Dr. M. Rajaram1, Mrs. S. Latha Shanmuga Vadivu 2
1
Professor & Head, EEE Dept,
Government college of engineering, Tirunelveli,
Tamilnadu, India
2
Assistant professor, Department of ECE,
Tamilnadu College of Engineering, Coimbatore,
Tamilnadu, India

Abstract: Today most of the scientific enterprises are highly
data-intensive, computation-intensive and collaboration-
intensive. This necessitates the interaction and sharing of
various resources, especially knowledge, despite their
heterogeneity and geographical distribution. Intelligent process
automation and collaborative problem solving have to be
adapted. A Semantic Web-based approach is proposed to tackle
the six challenges of the knowledge lifecycle namely those of
acquiring, modeling, and retrieving, reusing, publishing and
maintaining knowledge. To achieve this vision the Semantic
Web community has proposed some core enabling technologies
and reasoning which provide an infrastructure for distributed
information and knowledge management based on metadata,
semantics, and reasoning. A Semantic Web-based approach to
managing Grid resources’ knowledge for Grid applications is an
approach where a semantics-based knowledge layer is added
between Grid resources and Grid applications. In this layer, the
Semantic Web technologies are used to carry out knowledge
acquisition, modeling, representation, publishing, storage and
reuse Ontology’s. They are used to conduct knowledge
acquisition through Ontology modeling and Semantic
annotation. Ontology modeling provides conceptual structures
for preserving knowledge and Semantic annotation captures
metadata, generates semantic instances and populates them into
knowledge bases.
Keywords: Ontology, Semantic Web, Client, Grid, K-Service.
1. Introduction
The Semantic Web is an extension of the current Web
in which information is given well-defined meaning, better
enabling computers and people to work in cooperation. It is
the idea of having data on the Web defined and linked in a
way that it can be used for more effective discovery,
automation, integration, and reuse across various
applications where data can be shared and processed by
automated tools as well as by people. To achieve this vision,
we have made use of core enabling technologies, APIs and
tools, encompassing ontologies, ontology languages,
annotation, semantic repositories, and reasoning, which
provide an infrastructure for distributed information and
knowledge management based on metadata, semantics, and
reasoning. [3]. A Semantic Web-based approach to KM is
proposed here in which we use ontology’s for knowledge
acquisition and modeling, the Web ontology language for
Knowledge representation and semantic-based reasoning for
decision making support.
Grid computing offers a promising distributed
computing infrastructure where large-scale cross
organizational resource sharing and routine interactions are
a common place. Grid applications usually refer to large-
scale science and engineering that are carried out through
distributed global collaboration enabled by the Grid.
Typically, such scientific enterprises are data-intensive
and/or collaboration-intensive and/or computation-intensive,
i.e., they require access to very large data collections, very
large-scale computing resources, and close collaboration
among multiple stakeholders. This necessitates the
interaction and sharing of specific resources, despite the
heterogeneity of their respective policies, platforms and
technologies, and their geographical and organizational
dispersal. [8] It is envisioned that Grid applications would
be carried out through flexible collaborations and
computations on a global scale with a higher degree of easy-
to-use and seamless automation.[1]
Grid applications are usually knowledge resides
implicitly in resource models and/or descriptions. Making
domain knowledge explicit and understandable for third
party consumers can enhance effective resource reuse by
providing well-informed decisions regarding when, where,
and how to use a resource.[4] By enriching metadata and
knowledge with semantics, the Grid can break down the
barrier of heterogeneity and move to truly seamless access
and cross-organizational resource sharing. Furthermore,
semantics empowers machines or software agents to
understand and process resources’ metadata. Consequently
it will increase the level of automation and reduce the need
of manual intervention.
2. Existing System
Most of today’s Web content is suitable for human
consumption. Even Web content that is generated
automatically from databases is usually presented without
the original structural information found in databases.
Typical uses of the Web today involve people seeking and
making use of information, searching for and getting in
58
touch with other people, reviewing catalogs of online stores
and ordering products by filling out forms, and viewing
adult material.
These activities are not particularly well supported by
software tools. Apart from existence of links that establish
connections between documents, the main valuable, indeed
indispensable, tools are search engines.[9]
Keyword based search engines, such as Alta Vista,
Yahoo and Google are the main tools for using today’s Web.
However there are serious problems associated with their
use. Most information is available in a weakly structured
form, for example, text, audio and video. From the
Knowledge management perspective, the current technology
suffers from limitations in the following areas:
Extracting Information: Human time and effort are
required to browse the retrieved documents for relevant
information.
Uncovering Information: New knowledge implicitly
existing in corporate databases is extracted using data
mining. However this task is still difficult for distributed,
weakly structured collection of documents.[4]
Viewing Information: Often it is desirable to restrict access
to certain information to certain groups of employees.
“Views”, which hide certain information, are known form
the area of databases but are hard to realize over an intranet
(or the Web).
Searching Information: Currently the keyword based
search engines return too much or too little or irrelevant
information.
2.1 Proposed System
Web represents information using natural language
such as English, Hungarian, and Chinese etc. This is okay
for humans but difficult for machines. In the case of
distributed applications, automatic procedures are involved
and not only humans, agents try to make “sense” of
resources on the Web and a well defined terminology on the
domain is necessary. So it is appropriate to represent the
Web content in a form that is easily machine-processable
and to use intelligent techniques to take advantage of the
representations. We refer to this plan of revolutionizing the
Web as the Semantic Web initiative. It is important to
understand that the Semantic Web will not be a new global
information highway parallel to the existing World Wide
Web; instead it will gradually evolve out of the existing
Web.
The aim of the Semantic Web is to allow much more
advanced knowledge management systems. Knowledge will
be organized in conceptual spaces according to its meaning.
Automated tools will support maintenance by checking for
inconsistencies and extracting new knowledge. Keyword-
based search will be replaced by query answering; requested
knowledge will be retrieved, extracted, and presented in a
human friendly way. Query answering over several
documents will be supported. Defining who may view
certain parts of information (even parts of documents) will
be possible. Knowledge management is done using
metadata, semantics and reasoning. Some of the cores
enabling technologies made use are Ontology modeling and
Semantic annotations. Ontology modeling provides
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
conceptual structures for preserving knowledge.[1] Semantic
annotation captures metadata, generates semantic instances
as knowledge entities, and populates them into knowledge
bases. The essence of this approach is to add a semantics-
based knowledge layer between primitive Grid resources and
Grid applications. Grid applications would be carried out
through flexible collaborations and computations on a global
scale with a high degree of easy-to-use and seamless
automation.
3. Owl (Web Ontology Language):
The OWL (Web Ontology Language) is designed for
use by applications that need to process the content of
information instead of just presenting information to
humans. OWL facilitates greater machine interpretability of
Web content than that supported by XML, RDF, and RDF
Schema (RDF-S) by providing additional vocabulary along
with a formal semantics. OWL has three increasingly-
expressive sublanguages: OWL Lite, OWL DL, and OWL
Full. OWL is intended to be used when the information
contained in documents needs to be processed by
applications, as opposed to situations where the content only
needs to be presented to humans. [3]
OWL can be used to explicitly represent the
meaning of terms in vocabularies and the relationships
between those terms. This representation of terms and their
interrelationships is called ontology. OWL has more
facilities for expressing meaning and semantics than XML,
RDF, and RDF-S, and thus OWL goes beyond these
languages in its ability to represent machine interpretable
content on the Web. OWL is a revision of the DAML+OIL
web ontology language incorporating lessons learned from
the design and application of DAML+OIL.[11]
3.1 Owl Description:
The Semantic Web is a vision for the future of the
Web, in which information is given explicit meaning,
making it easier for machines to automatically process and
integrate information available on the Web. The Semantic
Web will build on XML's ability to define customized
tagging schemes and RDF's flexible approach to
representing data. The first level above RDF required for the
Semantic Web is an ontology language what can formally
describe the meaning of terminology used in Web
documents. If machines are expected to perform useful
reasoning tasks on these documents, the language must go
beyond the basic semantics of RDF Schema. OWL has been
designed to meet this need for a Web Ontology Language.
OWL is part of the growing stack of W3C recommendations
related to the Semantic Web.[6,5]
• XML provides a surface syntax for structured
documents, but imposes no semantic constraints on the
meaning of these documents.
• XML Schema is a language for restricting the
structure of XML documents and also extends XML with
data types.
• RDF is a data model for objects ("resources") and
relations between them provides a simple semantics for this
 (IJCNS) International Journal of Computer and Network Security, 59
Vol. 2, No. 9, September 2010

data model, and these data models can be represented in

XML syntax.
• RDF Schema is a vocabulary for describing
properties and classes of RDF resources, with a semantics
for generalization-hierarchies of such properties and classes.
• OWL adds more vocabulary for describing
properties and classes: among others, relations between
classes (e.g.disjointness), cardinality (e.g. "exactly one"),
equality, richer typing of properties and characteristics of
properties (e.g. symmetry), and enumerated classes.

3.2 SYSTEM DESIGN

The Semantic Web concept is used for knowledge
sharing in Grid applications. The grid applications contain a
knowledge base that is populated with relevant information
uploaded by the authenticated service providers. The
authenticated clients of the grid application can search for
required information from the knowledge base. This search
request will be processed automatically by the relevant
phases of the grid that will return the relevant information,
in the required format, eliminating redundancies.[7] Thus
the system is designed by writing program for client,
middleware and server.
The figure 1 shows the various layers for Figure 1. the semantic web based approach to knowledge
knowledge management in semantic web which are management
explained below.
3.2.1 Client
The grid applications like e-business, e-science, e-
banking have a number of clients who will wish to access
the resources and knowledge available in the grid from
anywhere in the world. All that is needed is they have access
permissions to make use of the resources. The search request
from them will be processed automatically by the
middleware i.e. the knowledge layer and the knowledge will
be presented to them as they want it and that too without
any effort from them.
3.2.2 Client functions:

The client performs two functions namely that of

searching by giving a keyword and downloading contents
using the links returned by the middleware.

Search

In this module the clients of the Grid application who

desire to obtain information from the knowledge base, must
first login. In case they are new users they can register by
providing their user name, password and e-mail.
Once logged in they can specify a keyword or set of Figure 2. user login page
keywords and can choose categories i.e. if they want text or
image or video files and select one main subcategory from
the list available. The figure (2) shows the user login page from where the
Retrieve: clients request is sent to the middleware layer.
The request from the client is sent to the middleware
layer and is processed by the relevant grid phases. As a
result a set of links are returned. The client downloads
content using the links.
60 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Ontology Development: This phase is activated after the

previous phase. It creates a partial ontology for the uploaded
file using the metadata extracted in the previous phase. It
will be of the OWL file format. It conducts knowledge
elicitation and builds the knowledge models.

Semantic Annotation: The complete OWL file for the

uploaded content is generated in this phase. Each keyword
will have a URL link attached with it separately and the
knowledge base will be populated extensively in this phase.

K-Service Development:

In this phase knowledge services will be developed

using application specifications and knowledge application
scenarios. They are developed to make best use of available
knowledge and provide maximum intelligent support for
Figure 3. new user registration page
problem solving. The outputs of this phase are a number of
The figure (3) shows the new user registration K-services that can serve as building blocks for Grid
page. If the client has already not registered he can register applications or, more generally, as the middleware for the
and enter the site so that he can get the useful information Semantic Grid infrastructure.
he needs.
Testing and evaluation:
3.2.3 Middleware: In this phase the K-services developed in the previous
This middleware region comprises of the Grid phase are tested for their functionality. If they produce the
activities that are carried out in seven distinct phases. The desired output then they are passed on to the System
system design modules of the middleware layer are shown in integrator. The K-services are also tested to yield optimum
the figure 4 below and the modules are explained thereof. performance.
SERVER APPLICATION CATEGORISED
REQUEST ANALYZER
System integration:
REQUEST

While tasks are performed in each phase by different

KNOWLEDGE XML file roles, they are a coordinated and collaborative endeavor.
MANAGEMENT
The outcomes of one phase will be used by tasks in later
phases. Results from previous activities are evaluated and
validated by later tasks. Sometimes, it is necessary to iterate
ONTOLOGY the refinement-evaluation cycle several times between
DEVELOPMENT OWL file
phases before all requirements are met. The system
integrator performs this task.
Annotated 3.2.4 Servers:
SEMANTIC
ANNOTATION OWL file The service providers are responsible for uploading
the contents to the knowledge base in the Grid
application.[5] If there are any updates in the uploaded file
TESTING AND Structured content then they will be providing information for the
EVALUATION OWL file uploaded content also.
Server Upload:
Figure 3. system design modules The service providers upload and update information.
First they need to login to be able to upload information into
Application Analysis: Any request from the client or the the grid. If they are new service providers, they have to
server will be passed on to this phase of the grid. The register and be authenticated. Thus the screen shot of
application analyzer analyzes the request and if it is from service provider upload page is given in the figure 5.
the server forwards it to the Knowledge management phase Once the authentication process is over they can
else to the K-service development phase. select the categories and subcategories in which they wish to
upload the file and send the upload request. This will be
Knowledge Management Analysis: The content uploaded processed by the middleware and feedback if their request
by the service providers is received and the Metadata was accepted or not will be given back to them.
information are categorized and extracted. It also collects
and maintains the details about where the Knowledge
information resides.
 (IJCNS) International Journal of Computer and Network Security, 61
Figure 5. service provider upload page
Update: The uploaded information can also be updated by
the corresponding service providers from time to time. This
makes sure that the information in the knowledge base
remains consistent always.
4. Conclusion
The Semantic Web-based approach to knowledge
management leverages the state of the art in ontology,
ontology languages and DL reasoning technologies. To
support the adoption and implementation of the proposed
approach, a methodology has been developed to provide
guidance for Grid practitioners to carry out knowledge
management for Grid applications.
References:
[1] W. Johnston, “Semantic Services for Grid-Based, Large-
Scale Science,” IEEE Intelligent Systems, vol. 19, no.
1, pp. 34-39, Jan./Feb. 2004.
[2] N.R. Shadbolt, T. Berners-Lee, and W. Hall, “The
Semantic Web Revisited,” IEEE Intelligent Systems,
vol. 21, no. 3, pp.96-101, May/June 2006.
[3] E. Sirin, B. Parsia, and J. Hendler, “Filtering and
Selecting Semantic Web Services with Interactive
Composition Techniques,” IEEE Intelligent Systems,
vol. 19, no. 4, pp. 42-49, July/Aug.2004.
[4] Grigoris Antoniou and Frank van Harmelen, “A
Semantic Web Primer,” The MIT press, 2004.
[5]H. Zhuge, “Semantic Grid: scientific issues,
infrastructure, and methodology,” ACM
Communication, vol.48, no.4, pp.117-119, 2005.
[6] T. Berners-Lee, J. Hendler, and O. Lassila, "The
Semantic Web," Scientific American, Vol. 284, no.4,
pp.34-43, 2001.
[7] M.H. Eres, G.E. Pound and S.J. Cox, “Globus
Installation
Procedure,”http://www.geodise.org/files/tutorials/
Globus_Installation.pdf, 2004.
Vol. 2, No. 9, September 2010
[8] C.A. Goble, D. De Roure, N.R. Shadbolt, and A.A.A.
Fernandes, "Enhancing Services and Applications with
Knowledge and Semantics,"The Grid 2: Blueprint for a
New Computing Infrastructure, I. Foster and C.
Kesselman, Eds., Morgan-Kaufmann, pp. 431-458,
2004.
[9] S. Schreiber, H. Akkermans, A. Anjewierden, R. Hoog
and N.R. Shadbolt, “Knowledge Engineering and
Management,” The MIT Press, London, 1999.
[10] I. Horrocks, U. Sattler and S. Tobies, “Practical
reasoning for expressive description logics,” Lecture
Notes in Artificial Intelligence,No.1705, H. Ganzinger,
D. McAllester, and A. Voronkov, eds, pp.161-180,
1999.
[11] V. Haarslev and R. Möller, “Racer: A Core Inference
Engine for the Semantic Web,” Proc. 2nd International
Workshop on Evaluation of Ontology
Authors Profile
Dr. M. Rajaram, M.E., Ph.D., is a
Professor and Head in Electrical and
Electronics Engineering and Computer
Science and Engineering in Government
College of Engineering, Tirunelveli. He
received B.E Degree in Electrical and
Electronics Engineering from Madurai University, M.E and
PhD degree from Bharathiyar University, Coimbatore, in
1981, 1988 and 1994 years and his research interests are
Computer Science and engineering, electrical engineering
and Power Electronics. He is the author of over 120
Publications in various International and National Journals.
7 PhD scholars and 10 M.S (By Research) Scholars have
been awarded under his supervision. At present, he is
supervising 12 PhD Scholars.
Mrs. S. Lathashanmugavadivu is
Assistant Professor in Electronics and
Communication Engineering Department
in Tamilnadu College of Engineering in
Coimbatore. She received B.E Degree
from Bharathiar University, Coimbatore
in the year 1995. M.S (by research) in
Computer Science Engineering from Anna University
Chennai in the year 2007 and pursuing PhD in Computer
Science Engineering in Anna University Coimbatore. She
has teaching experience of 15 years. Her research interest is
in Data Mining and Networking. She is an active member of
ISTE and CSI Societies also the Branch Counselor of IEEE
Students Branch in Tamilnadu College of Engineering.
Students of various institutions across the state have
benefited over her seminars, guest lectures and workshops.
62 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

A Novel design of High Speed Adders Using

Quaternary Signed Digit Number System
Reena Rani1, L.K. Singh2 and Neelam Sharma 3
1
B.S.A. College of Engineering & Technology, Mathura
Uttar Pradesh, India
reena_rani1331@yahoo.co.in

2
Dr. R.M.L. Avadh University Faizabad, Uttar Pradesh, India
proflksingh@yahoo.com
3
Institute of Engg. & Technology, Alwar, Rajasthan, India.
neelam_sr@yahoo.com

The paper is structured as follows: Section 2 presents the

Abstract: We proposed fast adders based on Quaternary signed
digit number system. Quaternary Signed Digit number system in
arithmetic circuits has the advantage of constant addition time
irrespective of word length. Arithmetic operations in digital
signal processing applications still suffer from problems
including propagation delay and circuit complexity. QSD
number representation allows a method of fast
addition/subtraction because the carry propagation chains are
eliminated and hence it reduces the propagation time. In QSD,
each digit can be represented by a number from -3 to 3. The
design of QSD adder is carried out using FPGA tools. The
designs are simulated using Modelsim SE 6.4 software and
synthesized using Leonardo Spectrum.
Keywords: Carry free addition, Fast computing, FPGA, VLSI.
1. Introduction
Arithmetic operations play an important role in various
digital systems such as computers, process controllers,
signal processors computer graphics and image processing.
Recent advances in technologies for integrated circuits make
large scale arithmetic circuits suitable for VLSI
implementation. However, arithmetic operations still suffer
from known problems including limited number of bits,
propagation time delay, and circuit complexity [1].
Now, the flexibility of field programmable gate arrays
(FPGAs) allows the rapid development of high performance
custom hardware [12]. By selecting arithmetic algorithms
suited to the FPGA technology and subsequently applying
optimal mapping strategies, high performance FPGA
implementations can be developed [5].
In this paper, we propose a high speed QSD arithmetic
logic unit which is capable of carry free addition, borrow
free subtraction, up-down count and multiply operations.
The QSD addition/subtraction operation employs a fixed
number of minterms for any operand size.
Signed digit number system offers the possibility of carry
free addition. QSD Adder / QSD Multiplier circuits are
logic circuits designed to perform high-speed arithmetic
operations. In QSD number system carry propagation chain
are eliminated which reduce the computation time
substantially, thus enhancing the speed of the machine [7].
Quaternary Signed digit number system. In Section 3, we
Presented the Adder design using QSD number system
which contains two step additions. Section 4 presents
simulation results. Section 5 presents results
implementation. Then we provide our conclusions in
Section 6.
2. Quaternary Signed Digit numbers
QSD numbers are represented using 3-bit 2’s complement
notation. Each number can be represented by:
n -1
D = ∑ Χi 4 i
i=0
Where Xi can be any value from the set { 3, 2, 1, 0, 1, 2, 3 } for
producing an appropriate decimal representation. A QSD
negative number is the QSD complement of QSD positive
number [2] i.e 3 ' = 3, 3' = 3 , 2 ' = 2, 2’ = 2 , 1' = 1, 1' = 1.
For digital implementation, large number of digits such as
64, 128, or more can be implemented with constant delay. A
higher radix based signed- digit number system, such as
quaternary signed digit (QSD) number system, allows
higher information storage density, less complexity, fewer
system components and fewer cascaded gates and
operations. A high speed and area effective adders and
multipliers can be implemented using this technique.
For example
Conversion of (43)10 to QSD number
For n = 3, the number can be converted as
(43)10 = 2 × 42 + 2 × 41 + 3 × 40 = (223)QSD
The same number can be represented in another way as
(43)10 = 3 × 42 + 1 × 41 + 1 × 40 = (3 11)QSD
The number can be represented in one more way as
(43)10 = 2 × 42 + 3 × 41 + 1 × 40 = (23 1)QSD
Similarly one more representation is
(43)10 = 3 × 42 + 2 × 41 + 3 × 40 = (3 2 3)QSD
As a QSD negative number is the QSD complement of
the QSD positive number. So
(-43)10 = ( 2 2 3 )QSD = ( 3 11)QSD = ( 2 3 1)QSD = ( 3 2 3 )QSD
 (IJCNS) International Journal of Computer and Network Security, 63
Vol. 2, No. 9, September 2010

3. Adder Design two rules are chosen. The chosen intermediate carry and
intermediate sum are listed in the last column of Table 2 as
3.9 Design Algorithm the QSD coded number.
Table 2: The Intermediate Carry and Sum Between -6 to 6
Arithmetic has played an important role in human
civilization especially in the field of science, engineering
and technology. The everlasting need for higher computing
power and processing speed in a wide range of information
processing applications are placing stringent demands for
fast computation on digital computer design.
Recent advances in technologies for integrated circuits
make large scale arithmetic circuits suitable for VLSI
implementation [9]. However, arithmetic operations still
suffer from known problems including limited number of
bits, propagation time delay, and circuit complexity [6].
With recent advances of integrated circuits technology
higher radix circuits are becoming a reality.
Addition is the most important arithmetic operation in
digital computation. A carry-free addition is highly
desirable as the number of digits becomes large. We can
achieve carry-free addition by exploiting the redundancy of
QSD numbers and the QSD addition. The redundancy
allows multiple representations of any integer quantity i.e. This addition process can be well understood by following
example.
(-5)10 = ( 2 3)QSD = ( 11)QSD
There are two steps involved in the carry-free addition Example: To perform QSD addition of two numbers A =
[3]. The first step generates an intermediate carry and sum 107 and B = -233.
from the addend and augend. The second step combines the First convert the decimal number to their equivalent QSD
intermediate sum of the current digit with the carry of the representation:
lower significant digit[10]. (107)10 = 2 × 43 + 2 × 42 + 3 × 41 + 1 × 40 = (2 2 3 1 )QSD
To prevent carry from further rippling, we define two
rules. The first rule states that the magnitude of the (233)10 = 3 × 43 + 3 × 42 + 2 × 41 + 1 × 40 = (33 2 1)QSD
intermediate sum must be less than or equal to 2. The Hence, (-233)10 = ( 3 3 2 1 )QSD
second rule states that the magnitude of the carry must be Now the addition of two QSD numbers can be done as
less than or equal to 1.Consequently, the magnitude of the follows:
second step output cannot be greater than 3 which can be
represented by a single-digit QSD number; hence no further A = 107 2 2 3 1
carry is required. In step 1, all possible input pairs of the B = -233 2
3 3 1
addend and augend are considered. The output ranges from
Decimal
-6 to 6 as shown in Table 1. -1 -5 5 -2
Sum
Table 1: The ouputs of All Possible Combinations of a Pair IC 0 1 1 0
of Addend (A) and Augend(B) IS 1 1 1 2
S 2 0 1 2
Cout 0

The sum output is ( 2 01 2 )QSD which is equivalent to (-

126)10 and carry output is 0.
The QSD adder design process will carry two stages for
addition. The first stage generates intermediate carry and
sum according to the defined rules. In the second stage the
intermediate carry from the lower significant digit is added
to the intermediate sum of current digit which results in
carry free output. In this step the current digit can always
absorb the carry-in from the lower digit.

In the step 1 QSD adder, the range of output is from -6 to 3.10 Step 1 Adder Design
+6 which can be represented in the intermediate carry and
The step 1 QSD adder accepts QSD number as the input and
sum in QSD format as shown in Table 2 [4]. We can see in
gives intermediate carry and sum as the output. Figure 1
the first column of Table 2 that some numbers have multiple
shows the step 1 adder block as the intermediate carry and
representations, but only those that meet the above defined
sum circuit.
 64 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Table 3: The Mapping Between Inputs and Outputs of the

Second Step QSD Adder

Figure 1. The intermediate Carry and Sum Generator

The range of input numbers can vary from -3 to +3, so the

addition result will vary from -6 to +6 which needs two
QSD digits. The lower significant digit serves as sum and
most significant digit serves as carry. The generation of the
carry can be avoided by mapping the two digits into a pair of
intermediate sum and intermediate carry such that the nth
intermediate sum and the (n-1)th intermediate carry never
form any carry generating pair (3,3), (3,2), (3,1), ( 3 , 3 ),
( 3 , 2 ), ( 3 , 1 )[13] .
Both inputs and outputs can be encoded in 3-bit 2’s
complement binary number [8]. The mapping between the
inputs, addend and augend, and the outputs, the
intermediate carry and sum considered in binary format.
3.11 Step 2 Adder Design
In step 2, the intermediate carry from the lower significant
digit is added to the sum of the current digit to produce the
final result. The addition in this step produces no carry
because the current digit can always absorb the carry-in
from the lower digit [11]. The step 2 adder accepts 3.4 Single Digit QSD Adder design
intermediate carry and intermediate sum as input and gives The single digit QSD adder accepts two QSD numbers as
single digit carry free QSD output. Figure 2 shows the inputs and gives carry and sum as the output. Figure 3
block diagram for step 2 adder. shows the single digit QSD adder . At the input side, the
addend Ai is represented by 3 variable input as a2, a1, a0 and
the augend Bi is represented by 3 variable input as b2, b1, b0.
At the output side, the carry C is represented by C2, C1, C0
and the sum S is represented by S2, S1, S0. The addend and
augend can be selected in the range of -3 to +3.
The addition result according to the specified rules can
be represented in the range of -3 to +3. The addition result
is a single digit QSD number; hence no further carry is
Figure 2. The Second Step QSD Adder required. Both inputs and outputs are encoded in 3-bit 2’s
complement binary number.As the range of carry is from -1
The range of the intermediate carry is -1 to +1 and the to +1, it can be represented in 2 bit binary number but we
range of the intermediate sum is -2 to +2. The addition take the 3 bit representation for the bit compatibility with
result of intermediate carry and intermediate sum lies in the the sum, So C2 = C1.
range of -3 to +3, which can be represented by single digit
QSD number. Table 3 shows all possible combinations of
the summation between the intermediate carry and the sum.
Table 3: Outputs of All Possible Combinations of A pair of
Intermediate carry (IC) and Sum(IS)

Figure 3. Single Digit QSD Adder

The internal logic diagram for single digit QSD adder is

shown in figure 4.
 (IJCNS) International Journal of Computer and Network Security, 65
Vol. 2, No. 9, September 2010

4. Simulation Results
The four digit QSD adder written in VHDL, compiled
and simulated using Modelsim SE 6.4. The simulated result
for 4-digit QSD adders is shown in figure 6.

Figure 5. Simulated Result of Four Digit QSD Adder

5. Result Implementation

Design Synthesized on Xilinx VIRTEX-IV FPGA devices

using Leonardo Spectrum from Mentor Graphics. Figure 7
shows the RTL schematic for four digit QSD adder.

Figure 6. RTL Schematic of Four Digit QSD Adder

The delay for QSD adder is 2ns which is the minimum delay
in comparision to Ripple Carry Adder (RCA) and Carry
Look Ahead (CLA) Adder The QSD adders have constant
delay of 2ns for higher number of bits. Figure 8 shows the
Figure 4. Single Digit QSD Adder Structure timing comparision chart for RCA, CLA Adder and QSD
Adders.
66 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Symposium on circuits and Systems, august 1996, pp.

180 187-189.
170
160 [8] A. A. S. Awwal and J. U. Ahmed, “Fast Carry Free
150
140 Adder Design Using QSD Number System”, Proc.
130 IEEE National Aerospace and Electronic Conference,
120
110 RCA Vol. 2, 1993, pp 1085-1090.
Delay (ns)

100
90 CLA [9] Hwang K., ComputerArithmatic Principles
80
70 QSD Architecture and Design. New York : Wiley, 1979.
60
50 [10] Reena Rani, Neelam Sharma, L.K.Singh, “Fast
40 Computing using Signed Digit Number System” proc.
30
20 IEEE International Conference On Control,
10
0 Automation, Communication And Energy
Conservation -2009, 4th-6th June 2009, pp.1-4.
16

32

64
4
8

128
Number of Bits
Figure 7. Timing Comparision of RCA, CLA and QSD
Adder
6. Conclusion
We have presented an algorithm for radix-4 carry free
addition which is suitable for realizing high-speed compact
arithmetic VLSI circuits. The QSD addition scheme is
independent of the processed bit strings length and thus it is
very fast. QSD based addition technique is also memory
efficient since more information can be encoded in fewer
digits than its BSD addition counterpart.
References
[1] A. Avizienis, "Signed-digit number representations for
fast parallel arithmetic," IRE Trans. on Electronic
Computers, vol.- EC-10, pp. 389-400, 1961.
[2] Abdallah K. Cherri, “Canonical Quaternary
Arithmetic Based on Optical Content- Addressable
Memory (CAM)”, Proc. IEEE National Aerospace and
Electronic Conference, vol.- 2, 1996, pp. 655-661.
[3] Reena Rani, Upasana Agrawal, Neelam Sharma, L.K.
Singh, “High Speed Arithmetic Logical Unit using
Quaternary Signed Digit Number System”
International Journal Of Electronic Engineering
Research, ISSN 0975 – 6450, Volume 2 Number 3,
2010 pp. 383–391.
[4] Songpol Ongwattanakul, Phaisit Chewputtanagul,
David J. Jackson, Kenneth G. Ricks, “Quaternary
Arithmetic Logic Unit on a Programmable Logic
Device”, proc. IEEE conference, 2001.
[5] Reena Rani, Neelam Sharma, L.K.Singh, “FPGA
Implementation of Fast Adders using Quaternary
Signed Digit Number System” proc. IEEE
International Conference on Emerging Trends in
Electronic and Photonic Devices & Systems
(ELECTRO-2009), 2009, pp 132-135.
[6] Behrooz Parhami, “Carry-Free Addition of Recoded
Binary Signed-Digit Numbers”, IEEE Transactions on
Computers, Vol. 37, No. 11, pp. 1470-1476, November
1988.
[7] A. T. M. Shafiqul Khalid, A. A. S. Awwal and O. N.
Garcia, “Digital Design of Higher Radix Quaternary
Carry Free Parallel Adder”, Proc. 39th Midwest
[11] N. Takagi, H. Yasuura, and S. Yajima, “High Speed
VLSI Multiplication Algorithm with a Redundant
Binary Addition Tree, ” IEEE Trans. Comp., C-34, pp.
789-795, 1985
[12] A.A.S Awwal, Syed M. Munir, A.T.M. Shafiqul
Khalid, Howard E. Michel and O. N. Garcia,
“Multivalued Optical Parallel Computation Using An
Optical Programmable Logic Array”, Informatica,
vol. 24, No. 4,2000, pp. 467-473.
[13] P. K. Dakhole, D.G. Wakde, “ Multi Digit
Quaternary adder on Programmable Device : Design
and verification” International Conference on
Electronic Design, 2008, 1-3 Dec, pp. 1-4.
Authors Profile
Reena Rani obtained M.Tech (VLSI design)
from Banasthali Vidyapith, Rajasthan,
INDIA. Currently pursuing Ph.D. in
Electronics from Dr. Ram Manohar Lohiya,
Avadh University. Wnner of Prize 3rd from
AMIETE council of INDIA. Her research
area is VLSI design.She is Senior Lecturer
in department of Electronics &
Communication Engineering at B.S.A. College of Engineering &
Technology, Mathura (U.P.), and Associate Member Institution of
Electronics and Telecommunication Engineering.
Lakshami Kant Singh obtained Ph.D.
(Optoelectronics) in 1976. He is currently
Director and Professor in Dr. Ram Manohar
Lohiya, Avadh University, Faizabad.U.P.
India. Posts hold was dean faculty of
science, Pro-Vice Chancellor. He has over
35 years of teaching experience and has
published around 30 research papers and
articles. He is a member of the Institution of
Engineers, Institution of Electronics and Telecommunication
Engineering, Delhi, and Computer Society of India.
Neelam Sharma received the PhD and
M.Tech from U.P.T.U., Lucknow UP
and B.E. from Thapar Institute of
Engineering and Technology, Punjab
India. Presently she is Professor in the
Department of Electronics and
Instrumentation Engineering, Institute of
Engineering and Technology, Alwar,
Raj. India. Her current research interests
are Computer Architecture, Neural Networks, VLSI, FPGA, etc.
She has twenty-five research publications and convened number of
sponsored research projects. She is member of IEEE, IETE and IE.
 (IJCNS) International Journal of Computer and Network Security, 67
Vol. 2, No. 9, September 2010

Triple-Critical Graphs
Basheer Ahamed M., and Bagyam I

Department of Mathematics, Karunya University, Coimbatore-641114, Tamilnadu, INDIA

Abstract: A graph G = (V, E ) is said to be double-critical if

G is connected and the chromatic number of G decreases by 2
when any two adjacent vertices of G are removed. We extend
this concept to triple-critical graphs.
Mathematic Subject Classification 2010: 05C15.
Keywords: Complete graphs, Degree, Double-critical k-
chromatic graph, Complete decomposable graph, triple-critical
graphs.
1. Introduction
The double-critical graph conjecture is a special case of
Erdos-Lovasz Tihany conjecture [4], which states that for
any graph G = (V, E ) with χ ( G ) > ω ( G ) and any two
integers a , b ≥ 2 with a + b = χ ( G ) + 1 , there is a
partition (A, B) of the vertex set V(G) such that
χ ( G [ A]) ≥ a and χ ( G [ B]) ≥ b . The double-critical
graph conjecture is proved [2] which states that Kk is the
(only) double-critical k-chromatic graph. In this paper, we
extend the concept to triple-critical graphs and prove a
theorem.
2. Preliminaries
Throughout this paper, we assume that G = (V, E ) is a
finite, connected, undirected, simple graph. . The order and
size of a graph G is represented as n(G ) and m(G )
respectively. The degree of a vertex v is denoted by d (v).
The maximum degree of the graph G is denoted as ∆ (v)
and the minimum degree of the graph G is denoted as
δ (v). A graph G = (V, E ) is said to be a clique or a
complete graph if E = V × V. It is denoted as Kn , where
V = n . Further, the subgraph of G: V (G ) \ {x} is
denoted by G − x.
We summarize some notations and results which are
useful to develop the main results of this paper.
2.1 Definition [6].
A k-coloring of a graph G = (V, E ) is a function φ from
the vertex set V of G into a set c of cardinality k so that
φ (u ) ≠ φ (v) for every edge uv ∈ E (G ).
2.2 Definition [6].
A graph G is k-colorable if it has a k-coloring. The elements
of the set c are referred to as colors and a vertex v ∈ V ( G )
is said to be assigned the color φ ( v) by φ .
2.3 Definition [6].
The chromatic number, denoted by χ (G ) is the minimum
integer ‘k’ for which a graph G is k-colorable.
2.4 Theorem [3].
For any graph G = (V, E ) , we have χ (G ) ≤ Δ (G) +1.
2.5 Theorem [3].
For a complete graph G = (V, E ) , χ (G ) = Δ (G) +1.
2.6 Definition [6].
A graph G = (V, E ) is called vertex-critical or simply
critical if χ (G − v) < χ (G ) for every v ∈ V(G ).
2.7 Definition [7].
A graph G = (V, E ) is said to be double-critical if G is
connected and the chromatic number of G decreases by 2
when any two adjacent vertices of G are removed.
2.8 Definition [6].
A graph G = (V, E ) is said to be decomposable if it
consists of two disjoint non-empty subgraphs G1 and G2
together with all edges joining a vertex of G1 and a vertex
of G2 .
2.9 Theorem [5].
A k-critical graph with at most 2k − 2 vertices is always
decomposable.
2.10 Definition [1].
A graph G = (V, E ) is called complete decomposable if it
consists of two disjoint non-empty subgraphs G1 and G2
together with all the edges that join every vertex of G1 to
every vertex of G2 . Then, the complete decomposition of
the graph G is written as G = G1 ⊗ G2 .

2.11 Theorem [8].

68 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

K5 is the only double - critical 5-chromatic graph. = χ (Ga ) + χ (Gb ) − 3. = χ (G ) − 3.

Therefore, χ (G − vi − v j − vk ) = χ (G ) − 3.
2.12 Theorem [2]. Hence, G is a triple-critical graph.
Kk is the (only) double-critical k-chromatic graph. Case 2: Ga = K2 and Gb = Kn , n > 2.

Sub-case 2(a): vi ∈ V (Ga ) and vi , v j ∈ V (Gb ).

3. Main Results
In this section, we extend the concept of double-critical Using (4), we have χ (Ga − vi ) = χ (Ga ) − 1 and
graphs to triple-critical graphs and prove a theorem. χ (Gb − v j − vk ) = χ (Gb ) − 2. Therefore, we have
3.1 Definition χ (G − vi − v j − vk ) = χ (Ga − vi ) + χ (Gb − v j − vk )
A graph G is said to be triple-critical if G is connected and = χ (G ) − 3. Thus; G is a triple-critical graph.
the chromatic number of G decreases by 3, when any 3 Sub-case 2(b):
vertices of G, which form a triangle are removed.
vi , v j ∈ V (Ga ) and vk ∈ V (Gb ).
3.2 Theorem
By case (1), χ (Ga − vi − v j ) = χ (Ga ) − 2 and
Let G be a complete decomposable graph and G1 and G2
χ (Gb − vk ) = χ (Gb ) − 1. Hence,
be the components of G. If G1 and G2 are complete
χ (G − vi − v j − vk ) = χ (Ga − vi − v j ) + χ (Gb − vk )
graphs on n-vertices, n ≥ 2, then, G is a triple-critical
= χ (G ) − 3. Therefore, G is a triple-critical graph.
graph.
Sub-case 2(c):
Proof:
Consider vi , v j , vk ∈V (Ga ) and no vertex from
By the theorem, Kk is the (only) double-critical k-
chromatic graph, it is clear that V (Gb ) is removed.
A complete graph on k vertices Kk , k ≥ 2 is a By (1), χ (Gb − vi − v j ) = χ (Gb ) − 2. The induced
double-critical graph. (1) graph Gb − vi − v j is a complete graph on n(Gb ) − 2
Since, the complete graph Kk is critical for every
vertices. Therefore,
k, Kk is a critical graph. χ (G − vi − v j − vk ) = χ (Ga ) + {[ χ (Gb ) − 2] − 1}
(2) = χ (Ga ) + χ (Gb ) − 3 = χ (G ) − 3.
Let G be a complete decomposable graph. Then,
Hence, G is a triple-critical graph.
χ (G ) = χ (G1 ) + χ (G2 )
(3) Case 3: Ga = Kn , n > 2 and Gb = Kn , n > 2.
Also, let G1 and G2 be the complete graphs Sub-case 3(a):
on n-vertices, n ≥ 2. Then, clearly from (1) and (2), G1 Let vi , v j ∈ V (Ga ) and vk ∈ V (Gb ). By case (1), G

and G2 are both critical and double-critical graphs. is a triple-critical graph.

Sub-case 3(b):
(4)
Let vi , v j , vk ∈V (Ga ) and no vertices from the
The components Ga and Gb , a ≠ b and a , b = 1, 2 will
component Gb is removed. By sub-case 2(c), G is a triple-
be of three cases.
Case 1: Ga = K2 and Gb = K2 . critical graph.
□
Case 2: Ga = K2 and Gb = Kn , n > 2.
Case 3: Ga = Kn , n > 2 and Gb = Kn , n > 2. We illustrate the above theorem with an example
for each case.
Let vi , v j , vk , i ≠ j ≠ k and vi , v j , vk ∈ V (G ) be
3.3 Example
the three vertices which are removed to verify triple-critical
property of the graph G. For case (1), Let G1 = K2 and G2 = K2 . Then, the graph

Case 1: Ga = K2 and Gb = K2 . G = G1 ⊗ G2 = K2 ⊗ K2 . Then, the chromatic number,

χ (G1 ) = 2, χ (G2 ) = 2 and χ (G ) = 4. After the
Let vi , v j ∈ V (Ga ) and vk ∈ V (Gb ). Then by (4),
removal of the three vertices,
χ (Ga − vi − v j ) = χ (Ga ) − 2 χ (G − va − vb − vc ) = χ (G1 − va − vb ) + χ (G2 − vc )
and χ (Gb − vk ) = χ (Gb ) − 1. Then we have, = χ (G1 ) − 2 + χ (G2 ) − 1 = 1. Therefore, G is triple-
χ (G − vi − v j − vk ) = χ (Ga ) − 2 + χ (Gb ) − 1. critical graph.
 (IJCNS) International Journal of Computer and Network Security, 69
3.4 Example
For subcase 2(a), when G1 = K2 and G2 = K5 ,
G = K2 ⊗ K5 . Then, the chromatic number, χ (G ) = 7,
χ (G1 ) = 2 and χ (G2 ) = 5. Removing a vertex
va ∈ V (G1 ) and two vertices vb , vc ∈ V (G2 ) , we get,
χ (G − va − vb − vc ) = χ (G1 − va ) + χ (G2 − vb − vc )
= 2 − 1 + 5 − 2 = 4. Hence, G = K7 is a triple-critical
graph.
3.5 Example
For subcase 2(b), when G1 = K2 and G2 = K5 ,
G = K2 ⊗ K5 . Then, the chromatic number, χ (G ) = 7,
χ (G1 ) = 2 and χ (G2 ) = 5. Removing two vertices from
G1 and a vertex from G2 , we get,
χ (G − va − vb − vc ) = χ (G1 − va − vb ) + χ (G2 − vc )
= χ (G1 ) − 2 + χ (G2 ) − 1 = 2 − 2 + 5 − 1 = 4. Hence,
G = K7 is a triple-critical graph.
3.6 Example
For subcase 2(c), when G1 = K2 and G2 = K5 ,
G = K2 ⊗ K5 . Then, the chromatic number, χ (G ) = 7,
χ (G1 ) = 2 and χ (G2 ) = 5. Removing no vertex from
G1 and three vertices from G2 , we get,
χ (G − va − vb − vc ) = χ (G1 ) + χ (G2 − va − vb − vc )
= χ (G1 ) + χ (G2 ) − 3 = 2 + 5 − 3 = 4.
Hence, G = K7 is triple-critical graph.
3.7 Example.
For subcase 3(a), when G1 = K3 and G2 = K6 ,
G = K3 ⊗ K6 = K9 . Then, the chromatic number,
χ (G ) = 9, χ (G1 ) = 3 and χ (G2 ) = 6. Removing two
vertices from G1 and one vertex from G2 , we get,
χ (G − va − vb − vc ) = χ (G1 − va − vb ) + χ (G2 − vc )
= χ (G1 ) − 2 + χ (G2 ) − 1 = 3 − 2 + 6 − 1 = 6.
Hence, G = K9 is triple-critical graph.
3.8 Example
For subcase 3(b), when G1 = K3 and G2 = K6 ,
G = K3 ⊗ K6 = K9 . Then, the chromatic number,
χ (G ) = 9, χ (G1 ) = 3 and χ (G2 ) = 6. Removing no
vertex from G1 and three vertices from G2 , we get,
χ (G − va − vb − vc ) = χ (G1 ) + χ (G2 − va − vb − vc )
= χ (G1 ) + χ (G2 ) − 3 = 3 + 6 − 3 = 6.
Vol. 2, No. 9, September 2010
Therefore, G = K9 is a triple-critical graph.
References
[1] M. Basheer Ahamed, I. Bagyam, Complete decomposable
graphs, communicated
[2] M. Basheer Ahamed, I. Bagyam, Double-critical k-
chromatic graphs, accepted
[3] V.K. Balakrishnan, Schaum’s outline of Theory and
Problems of Graph Theory. McGraw Hill, USA, 1997.
[4] P. Erdos, Problem 2. In theory of Graphs (Proc. Colloq.,
Tihany, 1966), pp. 361. Academic Press, New York,
1968.
[5] T. Gallai, Critical graphs, In Theory of Graphs and its
Applications (Proc. Sympos. Smolenice, 1963), Publ.
House Czechoslovak Acad. Sci., pp. 43-45, Prague,
1964.
[6] K. Kawarabayashi, A. Pederson, B. Toft, Double-critical
graphs and complete minors, 2008. [online].
Available:URL:http://arxiv.org/PS_cache/arxiv/pdf/0810
/0810.3133v1.pdf. [Accessed: Dec. 11, 2009].
[7] Matej Stehlik, Critical graphs, Ph.D. Thesis, University
of London, 2003.
[8] M. Stiebitz, K5 is the only double-critical 5-chromatic
graph. Discrete Math., 64: pp. 91-93, 1987.
Authors Profile
Basheer Ahamed M received the Ph,D
degree in Mathematics from
Bharathidasan University in 2005. He is
working as Associate Professor of
Mathematics in Karunya University,
Coimbatore, INDIA.
Bagyam I received the M.Sc degree in
Mathematics from University of Madras
in 2009. She is doing research in
Mathematics at Karunya University.
70 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

A Modified Feistel Cipher Involving Modular

Arithmetic and Interlacing
V. U. K. Sastry1, D. S. R. Murthy2, S. Durga Bhavani3

Dept. of Computer Science & Engg., SNIST, Hyderabad, India,

1
vuksastry@rediffmail.com

Dept. of Information Technology, SNIST, Hyderabad, India,

2
dsrmurthy.1406@gmail.com

3
School of Information Technology, JNTUH, Hyderabad, India,
sdurga.bhavani@gmail.com

appropriately. At the end of each round of the iteration, the

Abstract: In this paper, we have developed a block cipher with
Feistel structure. In this the plain text is consisting of 256 bits
and the key is containing 128 bits. The process of encryption is
carried out by using modular arithmetic and interlacing the
plain text at various rounds of the iterative process. The
avalanche effect and the cryptanalysis firmly indicate that the
cipher is a strong one and it cannot be broken by any
cryptanalytic attack.
Keywords: Feistel Cipher, Modular arithmetic, Interlacing,
avalanche effect, Cryptanalysis, Encryption and Decryption.
1. Introduction
In a pioneering paper, sometime before the development of
DES [1, 2], Feistel [3, 4] developed a block cipher which
involves an iterative procedure including 16 iterations. In
this, the plain text contains 2w binary bits. The procedure
for encryption is governed by the relations
P0 = w, Q0 = w, (1)
and
Pi = Qi-1,
Qi = Pi-1 ⊕ F(Qi-1, Ki), for i = 1 to 16. (2)
Here, Ki is the key in the ith round of the iterative process
occurring in the analysis; P and Q stand for the left and
right halves of the plain text, and ⊕ denotes the XOR
operation. The process of decryption is governed by the
relations
Qi-1 = Pi,
Pi-1 = Qi ⊕ F(Pi, Ki), for i = 16 to 1, (3)
and the initial conditions are taken from the cipher text
obtained at the end of the encryption.
Though this process involves interchange of modified
text from left to right, operation with the key Ki and a
number of rounds in the iteration process, this cipher was
found to be a weak one and it was broken by several
researchers [5].
In the present paper, our objective is to modify the
Feistel cipher by taking the length of the plain text as 8m
bytes (each byte can be represented by a decimal number
lying in the interval 0 to 255) and operating on each 2m
bytes simultaneously by adopting Feistel approach. A square
key matrix K of size m is associated separately with each 2m
bytes as a multiplicant and mod 256 is applied
resulting binary strings are interlaced in an appropriate
manner. This process is expected to enhance the strength of
the cipher enormously.
In what follows, we mention the plan of the paper. We
discuss the development of the cipher, and design the
algorithms for encryption and decryption in section 2. Then
we illustrate the cipher with an example in section 3. After
that we perform cryptanalysis in section 4. Finally, we
present numerical computations and draw conclusions in
section 5.
2. Development of the cipher
Consider a plaintext P containing 8m characters. On using
EBCDIC code, we have 8m decimal numbers (8m bytes).
This can be divided into four parts wherein each one
contains 2m decimal numbers. Then each substring is
further divided into two parts. Let the left and right parts of
the first substring be denoted as P0 and Q0. In a similar
manner, let the portions of the other substrings be denoted
as R0, S0, T0, U0, and V0, W0 respectively. Here, P0, Q0, …,
W0 are vectors wherein each one is having m components.
Let K be a square key matrix of size m.
In this analysis, following Feistel, the processes of
encryption and decryption can be described by the relations
Pi = Qi-1,
Qi = Pi-1 ⊕ (Qi-1 K) mod 256, for i = 1 to n,
(4)
and
Qi-1 = Pi,
Pi-1 = Qi ⊕ (Pi K) mod 256, for i = n to 1.
(5)
In writing these relations, the function F in (2), is
assumed to be in a particular form.
Similar relations can be written for (Ri, Si), (Ti, Ui), and
(Vi, Wi). At the end of each round, after obtaining all the
eight quantities, Pi, Qi, Ri, Si, Ti, Ui, Vi, and Wi, the binary
bits of all the strings can be interlaced (by a procedure
which is described later) and hence the new Pi, Qi, …, Wi
can be obtained.
The flow charts concerned to encryption and decryption
are presented in Fig. 1.
 (IJCNS) International Journal of Computer and Network Security, 71
Vol. 2, No. 9, September 2010

Figure 1. Schematic Digram of the Cipher

Let us now describe the process of interlacing. As we

have m decimal numbers in each part, Pi, Qi, …, Wi, we can
represent them in the form of a matrix, containing binary
bits, as shown below.

(11)
This completes the process of interlacing.
It may be noted here that inverse interlacing is a reverse
(6)
process to interlacing.
In the process of interlacing, we associate the binary
In what follows, we present the algorithms for
bits given above, in a column wise manner. Thus we get the
encryption, and decryption.
new Pi as the first m columns of the matrix in (6), the new
Qi as the next m columns of the matrix in (6), and so on. For Algorithm for Encryption
example,
(7)
In a similar manner, we can obtain Qi to Wi.
Let us illustrate the above process by considering a simple
example. Let

(8)
This can be written in the binary form as shown below.

(9) Algorithm for Decryption

Now on interlacing, we get the new Pi to Wi as follows.

(10)
Here, the first row contains the first four columns of (9),
the second row contains the next four columns of (9) and so
on. Thus we get
72
3. Illustration of the cipher
Consider the plain text given below.
“Dear brother! I have passed my B. Tech (ECE) with
distinction. All this is due to the scholarship sanctioned by
our Government. Now I want to enter into politics”
(12)
Let us focus our attention on the first 32 characters.
This is given by
“Dear brother! I have passed my B” (13)
On using EBCDIC code, (13) can be written in the form
(14)
Let us consider a square key matrix K of size 4. We
have
(15)
On using (14) and (15) and applying the encryption
algorithm, given in section 2, with n = 16, we get the cipher
text C in the form
(16)
On applying the decryption algorithm (See Section 2),
we get back the original plain text given by (13).
Now, let us study the avalanche effect for determining
the strength of the algorithm. Let us change the 24th
character ‘s’ to ‘t’ in (13). Due to this, 162 in (14) becomes
163 and hence, the P0 undergoes a change of 1 binary bit.
Thus the entire plain text comprising P0 to W0 also
undergoes a change of 1 binary bit. Now, on applying the
encryption algorithm on the modified plain text, we get
(17)
On comparing the cipher texts given by (16) and (17),
after converting them into binary form, we find that they
differ by 130 bits. As a change of 1 bit in the plain text is
leading to a change of 130 bits (out of 256 bits) in the cipher
texts, we notice that the cipher is a strong one.
Now let us consider the effect of changing the key by
one binary bit. This can be done by replacing 126 (the 2nd
row 2nd column element of the key) by 127. Now on
applying the process of encryption on the original plain text
(14), we get the new C given by
(18)
On comparing the cipher text C given in (16) and (18),
we notice that they differ by 138 bits (out of 256 bits). This
also shows that the cipher is a strong one.
4. Cryptanalysis
In the study of cryptography [6] the well known methods for
cryptanalysis are:
1. Cipher text only (brute-force) attack
2. Known Plain text attack
3. Chosen Plain text attack
4. Chosen Cipher text attack
In all these attacks, it is assumed that the encryption
algorithm and the cipher text are known to the attacker.
In the brute-force attack, as the key is containing 128
binary bits, the size of the key space is
2128 = (210)12.8 ≈ 1038.4
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
If we assume that the process of encryption with each
key requires 10–7 seconds, then the time required for the
computation with all possible keys is equal to
As this process of computation is taking a very long
time, the brute-force attack is totally impossible.
Let us now study the known plain text attack. In this
case, we are having as many plain text and cipher text pairs
as we require. Here, in carrying out the encryption process,
as the m decimal numbers in each of the 2m decimal
numbers are multiplied by the key and as the portions of the
modified plain text are interlaced at the end of each round of
the iteration process, the key K cannot be determined by any
means.
In the last two cases, that is, in the chosen plain text
attack and in the chosen cipher text attack, intuitively no
special choice appears as a possible one, as the process of
encryption is a complex one.
In the light of the above analysis, we conclude that the
cipher cannot be broken by any attack.
5. Computations and Conclusions
In this paper, we have developed a block cipher by using a
Feistel structure. In this, we have taken a plain text of length
256 binary bits and made use of a key K containing 128 bits.
The programs for encryption and decryption are written in C
language.
On adopting the procedure discussed in section 3, the
cipher text corresponding to the rest of the plain text (which
can be divided into four parts) can be obtained as
The avalanche effect mentioned in section 3 and the
cryptanalysis discussed in section 4, clearly indicate that the
cipher is a strong one, and it cannot be broken by any
cryptanalytic attack.
References
[1] William Stallings, Cryptography and Network Security,
Principles and Practice, Third Edition, Pearson, 2003.
[2] Schaefer, E., “A Simplified Data Encryption Standard
Algorithm”, Cryptologia, Jan 1996.
[3] H. Feistel, “Cryptography and Computer Privacy”,
Scientific American, May 1973.
[4] Feistel, H., Notz, W., and Smith, J., “Some
Cryptographic Techniques for Machine-to-Machine
Data Communications”, Proceedings of the IEEE, Nov.
1975.
[5] R. C. W. Phan, and Mohammed Umar Siddiqi, “A
Framework for Describing Block Cipher
Cryptanalysis”, IEEE Transactions on Computers, Vol.
55, No. 11, pp. 1402 – 1409, Nov. 2006.
[6] D Denning, “Cryptography and Data Security”,
Addison-Wesley, 1982.
 (IJCNS) International Journal of Computer and Network Security, 73
Vol. 2, No. 9, September 2010

A Graph-based Testing of UML2 Sequence

Diagram
Yujian Fu1 and Sha Li2
1
Alabama A&M University, Department of Computer Science
Normal AL, 35762 USA
yujian.fu@aamu.edu
2
Alabama A&M University, Department of Education
Normal AL, 35762 USA
sha.li@aamu.edu

Abstract: Correct functioning of object-oriented software
systems depends upon the successful interaction of objects and
classes. While individual classes may function correctly, several
new faults can arise when these classes are integrated together.
The interaction among classes has increased the difficulty of
object-oriented testing dramatically. Currently traditional
approaches generates testing paths from source code or UML1
diagram lacks of analysis and puts obstacles of automation of
test case generation. In this paper, we present an integrated
approach to enhance testing of interactions among classes. The
approach combines UML2 sequence diagrams and statecharts
hierarchically and generate test paths based on message flow
graph. We have applied it to a case study to investigate its fault
detection capability. The results show that the proposed
approach effectively detects all the seeded faults. As a result,
this work provides a solid foundation for further research on
automatic test case generation, coverage criteria analysis of
sequence diagram based object oriented testing.
Keywords: Software testing, UML model, sequence diagram,
statecharts diagram.
1. Introduction
Nowadays, object-oriented paradigm has become a popular
technology in modern software industry due to several
distinguish features, such as encapsulation, abstraction, and
reusability to improve the quality of software. However,
along with the development of object-oriented software,
compared to testing of procedural software [10, 4], OO
features also introduce new challenges for testers:
communications and interactions between objects may give
rise to subtle errors that could be hard to detect. Although,
most traditional unit testing and system testing techniques
may also be applicable to object-oriented testing, it still
makes a great difference for testing of procedural software
and object-oriented software since object communication
and interaction may introduce more complicated and
unforeseen situations. Therefore, it is necessary to explore
new and effective object-oriented testing technique in theory
and practice.
The Unified Modeling Language (UML) has emerged as the
de facto standard for analysis and design of OO systems.
UML provides a variety of diagramming notations for
capturing design information from different perspectives.
In recent years, researchers have realized the potential of
UML models as a source of information in software testing
[1, 5, 6, 7, 9, 12, 15, 19, 21, 24, 27, 26, 28, 14]. Many UML
design artifacts have been used in different ways to perform
different kinds of testing. For instance, UML statecharts
have been used to perform unit testing, and interaction
diagrams (collaboration and sequence diagrams) have been
used to test class interactions.
As the major benefit of object oriented programming,
encapsulation aims at modularizing a group of related
functionalities in classes. However, a complete system-level
functionality (use case) is usually implemented through the
interaction of objects. Typically, the complexity of an OO
system lies in its object interactions, not within class
methods which tend to be small and simple. As a result,
complex behaviors are observed when related classes are
integrated and several kinds of faults can arise during
integration: interface faults, conflicting functions, and
missing functions [4]. Thus testing each class independently
does not eliminate the need for integration testing. A large
number of possible interactions between collaborating
classes may need to be tested to ensure the correct
communication among classes and further functionality of
the system.
More and more software developers use UML and associated
visual modeling tools as a basis to design and implement
their applications. In addition, UML sequence diagram is
widely used for specifying the dynamic behaviors of classes
and contains necessary information about object
communications in terms of object life lines that is more
propitious to object-oriented software testing. Therefore, in
the research reported in this paper, UML sequence diagram
are used as a basis to generate message flow graph (MFG)
hierarchically. Firstly, we discuss an approach to generated
hierarchical MFG based on sequence and state chart
diagram of corresponding objects. After that, a verification
method is provided for the coverage criteria.
The remainder of the paper is organized as follows. Section
3 presents a brief survey of the related works in the areas of
state-based testing and UML-based test path generation. A
description of classification with respect to UML2 diagrams
is given in Section 2. Section 4 presents an approach to
generate a hierarchical message flow graph based test cases.
This approach can also derive independent testing path. A
case study of a web-based information system is illustrated
74 (IJCNS) International Journal of Computer and Network Security,
in Section 5. Conclusive remarks and future work are,
finally, indicated in Section 6.
2. Related Works
Traditional testing strategies for procedural programs, such
as data flow analysis and control flow analysis cannot be
directly applied to OO programs [22]. Extensions of these
techniques for OO programs have been proposed by Buy et
al. [9] and Martena et al. [25]. A structural test case
generation strategy by Buy et al. [8] generates test cases
through symbolic execution and automates deduction for the
data flow analysis of a class. Kung et al. [20] proposed an
idea to extract state models from the source code, whereas
others suggest test generations from pre-existing state-
models [12, 13, 29]. In the sections below, we will discuss
more specific UML-based testing techniques.
Tse and Xu [30] have proposed an approach to derive test
cases from Object Test Models (OTM). State space
partitions of the attributes of a class are used with the OTM
to generate a test tree. The actual test cases are derived from
the test tree. Nori and Sreenivas [26] have proposed a
specification-based testing technique that splits the
specifications of a class into structural and behavioral
components. Structural aspects define the attributes and
method specifications of a class, whereas state machine is
used to defined the behavioral component that describes the
sequence of method invocation. In the work of [12, 28], an
idea of converting test generation into an AI planning
problem was proposed. UML statecharts are processed by
planning tools and used to produce AI planning
specifications. The test cases are generated based on the
processed statecharts. Another example of statecharts based
test case generation technique was proposed by Kim et al.
[18]. These statecharts are transformed to Extended Finite
State Machines (EFSMs) to generate test cases and then use
traditional control and data flow analysis on the generated
test cases.
Several state-based approaches were proposed based on
state-chart or finite state machine. In the work of [23], Li et
al. presented an approach to testing specific properties of
reactive systems. Kim et al. [17] used statecharts to generate
test sequences for Java-based concurrent systems.
Kansomkeat and Rivepiboon [16] have converted UML
statecharts into an intermediate model known as Testing
Flow Graph (TFG). This graph reduces complexities of
statecharts and produces a simple flow graph. Test cases are
finally generated by traversing the TFG using state and
transition coverage criteria. The proposed methodology was
evaluated using mutation testing. Results of an experiment
carried out to validate the application of Round Trip Test
Strategy [4] on UML statecharts are presented in Briand et
al. [6]. Authors also propose improvements on the strategy
based on the analysis of these results. Swain et al. has
proposed a method of statecharts and activity model based
testing technique by constructing an intermediate model
named state-activity diagram (SAD) [29]. Besides, some
recent work [11] was proposed using formalization on the
statechart diagram to perform model-based testing. In the
work of [3] a semantic model is proposed using the labeled
Vol. 2, No. 9, September 2010
transition system. The formalization of model based testing
represents a new trend of state based testing.
Although many works had been done on the OO testing of
sequence diagram and statecharts diagram, this work is
different from the above unit level testing in two aspects.
First, this work presents a hierarchical synthesized approach
to sequence diagram testing using a message flow graph
(MFG). The proposed MFG is generated from the statechart
that supports message generation in the sequence diagram.
Secondly, the hierarchical structure provides a novel graphic
based testing technique for OO program validation.
3. Graph based Testing Approach
The run-time behavior of an object-oriented system is
modeled by well-defined sequences of messages passed
among collaborating objects. In the context of UML, this is
usually modeled as interaction diagrams (sequence and/or
collaboration diagrams). In many cases, the states of the
objects sending and receiving a message at the time of
message passing strongly influence their behavior in
following aspects:
• An object receiving a message can provide different
functionalities in different states.
• Certain functionalities may even be variable or
unavailable if the receiving object is not in the
correct state.
• The functionality of providing object may also
depend on the states of other objects including the
sending object of a message.
In this work, a graph based testing technique is proposed,
which is on the idea that the communication between objects
should ideally be exercised (represented by sequence
diagram) for all possible states of the objects involved
(statecharts diagram). This is of particular importance in the
context of OO software as many classes exhibit an
interaction state-dependent behavior. Such testing objective
is implemented by generating a graph-based testing
approach and testing path on message flow graph (MFG) on
the defined criteria. The proposed technique can be applied
during the integration test phase, right after the completion
of class testing. It consists of the following three steps:
1. Message Flow Graph (MFG) Generation: We
investigate the sequence diagram of the (sub)system,
and generate corresponding MFG following the MFG
generation algorithm (will be discussed in the
following section).
2. Hierarchical Testing Path Generation: Based on the
MFG of sequence diagram, for each object that we
concern, we refer the state-chart diagram and
generate a MFG for some node of MFG.
3. Coverage Criteria: We test the sequence diagram
against the coverage criteria that we defined.
In the following sub-sections, we describe the proposed
testing technique in greater detail with the help of a simple
example.
 (IJCNS) International Journal of Computer and Network Security, 75
Vol. 2, No. 9, September 2010

3.3 Definitions node nj is defined as a sequence of connected acyclic nodes

First, we introduce message flow graph generation. As we
see, one of the basic communication among objects is
message passing. In sequence diagram, we represent all
communications as messages. Based on the sequence
diagram and each object’s behavior (state-chart diagram),
we can build a message flow graph (MFG).
In this work, we refer message to be as object, expression,
primary variable, and other specific terms defined in UML2.
For instance, a message can be Students = new Student()
which indicates an object is instantiated. An arithmetic
expression z = x+y, a variable double salary, or a stereo type
<< create >> can be a message. Therefore, in this work,
term refers to any legal statement that can be allowed to
used in sequence diagram and state-chart diagram in UML2.
In the next, we first define Message Flow Graph (MFG) that
would be used in the description of our methodology.
from node ni to node nj in G. For any node nk ∈ G, and nk ∉
DP i, there does not exist a dependency path Dpi’ such that
nk ∈ DP i’ and DP i ⊆ DP i’ .
In Fig. 1, N0, N1, N5, N7, N8 is a DP. To generate test cases,
our purpose is to find the enough independent dependency
path (DP) from a completed MFG.
Definition 3 (Independent Dependency Path (IDP))
Given a MFG G =< N, E, L, I >, two dependency paths (Dpi,
DP j ∈ G) are independent from each other iff there is at
least one node (ni) in one DP (DP i) that is not covered in
another DP (DP j), i.e. ni ∈ DP i ∧ ni ∉ DP j, where ni ∈ G,Dpi,
DP j ⊆ G.
To identify IDP, a key issue is to find the predicate node,
since predicate node usually is the one that split the program
to branches. Here we define predicate node as follows.
Definition 4 (Predicate Node) Any boolean condition that
needs to be evaluated can be represented by a predicate
node. A predicate node is associated with more than one
edges that have logic relation.
Graphically, a predicate node is denoted by a box, and
anyregular node as a circle graphically. In Fig. 1, node N2 is
a predicate node, and others are regular nodes. Predicate
nodes take the program to multiple paths and act as the key
nodes of program branches. Predicate nodes are usually by
more than one dependency path. For example, in Fig 1, N0,
N2, N3, N5, N7, N8 and N0, N2, N4, N6 are two IDPs regarding
to predicate node N2.

3.4 MFG generation

Figure 1. Example of Message Flow Graph. This is a systematic approach to generate test cases based on
UML2 sequence diagrams. Given any sequence diagram S D
Definition 1 (Message Flow Graph (MFG)) Message Flow in UML2, we have following two big steps in pseudocode
Graph (MFG) is defined as a directed graph with (N, E, L, form. Subsequently this method is explained using an
V), where example.
• N is a set of nodes, which represent a set of
messages that connect objects in the sequence 1. First, for any message that labeled in SD, we generate a
diagram, denoted by circles. node by following life line of each object. Each node has
• E is a set of edges, which represent flow direction affiliation of its owner (object), and we use dot notation to
between objects, and are denoted by arrows. denote the owner relation.
• L is a label function that maps each node and edge 2. For message mi that involves internal state transitions
to a set of terms (alphabets (constants and (such as method invocation, object creation, and more
variables) and expressions on alphabets), and actions), we generate a subset of MFG for the node (mi).
• I is a set of initial nodes that indicate the starting of
the program. Therefore, each node may be hierarchically represented by a
set of nodes and edges that form a MFG. By traversing this
Each node represents a message, which can be a data MFG, we can tell if the message mi causes the object’s state
(parameter or argument), a method call, or a memory, a transition. In addition, we can tell if message mi+1 is the one
plain text. Each edge represents the dependency relation after message mi of object execution. This approach can
between two nodes, and denoted by (N1, N2), where N1 and connect black-box testing on the inter-class level with white
N2 are two nodes. The direction of the edge N1, N2 is from box testing on the intra-class level. The advantages can be
node N1 to node N2. The direction shows the dependency of not only we can tell if a message is passed properly when an
a given node on others. For example, given a MFG G in Fig. error is detected, but also can we tell internally what causes
1, edge (N1, N2) < G, while edge (N0, N2) ∈ G. the message not passed properly internally of the object.

We define dependency path as follows. For example, in Fig. 1, assume node N6 involve a series of
state transitions, then we can generate a subset of MFG GN6
Definition 2 (Dependency Path (DP)) Given a MFG G =< for it (Fig. 2).
N, E, L, I >, a dependency path (DP i) in G from node ni to
76
Figure 2. A hierarchical structure of MFG shown in Figure
1.
Definition 5 (MFG of Sequence Diagram (SD)) Let
sequence diagram SD be defined as SD, < O, M, Ix >, where
O be the set of object, M be the message set of a class
instance; Ix be the set of index of all messages in SD. Let
MFG G be the message flow graph of sequence diagram
(SD), where GS D =< N, E, L, I > and
• N is the set of all the observable messages mi of set
M, where mi ∈ M;
• E is the set of message communication sequences,
e.g., there is message mi ∈ M and mi+1 ∈ M, the
correspond nodes ni; ni+1 ∈ N form an edge < ni;
ni+1 >.
• L is the set of any message identifiers or pseudo
code.
• I is the set of initial nodes ninit, where init ∈ Ix, and
∀i ∈ Ix, init ≤ i.
It is worth to note that MFG is generated upon the message
passing through objects. The hierarchical subset MFG is
generated upon the state-chart diagram, then the potential
question is how to identify the messages in state-chart
diagram. To solve this problem, we extend the message used
in the MFG to including states. Therefore, we can extend
the above two-step generation algorithm to the state-chart
diagram by following steps:
1. Generate a node in the subset MFG for each state in the
state-chart diagram.
2. Generate a predicate node for each evaluation condition
defined in the label of a transition.
3. Generate an edge for each transition between two states.
4. Generate a label for each label of a transition.
We first generate the MDP in SD, then for some messages
(m ∈ M and M ∈ S D) we refer to SC and generate MDP in
SC. Let the algorithm of MDP generation in SD be
generateMFGS D, and the algorithm of MDP generation in
SC be generateMFGSC. The algorithms are shown in
following.
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
Generation of Predicate Node in Sequence Diagram:
Any fragment in sequence diagram (of UML2) can generate
a predicate node whose condition is evaluated to be a
boolean value. The fragment with the condition is formed a
predicate node. Each predicate node can cause more than
one execution branches. Corresponding to fragment of
sequence diagram of UML2, therefore, we can have three
types of predicate node:
Figure 3. MFG predicate node of optional fragment.
1. Alternative predicate node: for ALT fragment, we have an
alternative predicate node which introduces the program to
two different path depending on the condition satisfaction.
2. Loop predicate node: for LOOP fragment, we have an
iteration predicate node with regarding to condition. The
predicate node takes the program to a certain path when the
condition is met. Otherwise, the predicate node takes the
program to a node that outside the iteration.
3. Optional predicate node: for OPT fragment, there is a
condition defined. If the condition is evaluated to be true,
then execute this optional part; otherwise, skip the optional
fragment. A predicate node of MFG is shown in Fig. 3.
In addition, we have predicate nodes for state-chart
diagram. The predicate node is generated whenever there is
guard condition labeled for a transition or a state action.
Similarly, the predicate node indicates different execution
path inside the object depending on the evaluation of the
condition.
3.5 Testing Path Generation
As the discussion above, atomic generating independent
message dependency path is the essential element of
integrating testing. As compound message dependency path
is related to sequence diagram and statechart diagram, the
generation of message dependency path concerns the parse
of both sequence and statechart diagrams. In this work, we
 (IJCNS) International Journal of Computer and Network Security, 77
define both sequence and statechart diagrams in XML
format so that it’ll be easily to be read and analyzed.
In order to solve the generation problem precisely, we make
two assumptions as follows.
UML Statechart diagram here is deterministic, consistent,
and self-contained. There is no sub state, nested state and
concurrent state. Only message event might be taken
account of.
Message dependency path here is based on life line order
and mapping relationship of the message in sequence
diagram and the actions in state-chart diagram.
Let M be the message set of class instance; Gm be the set of
guard conditions with respect to message m (m ∈ M); p be
independent MDP with respect to message m.
Generating atomic message dependency path from UML
sequence and state-chart diagram comprises the following
steps:
• Extract information from UML sequence and
statechart diagram, and creating message
connecting table.
• Identify message dependency path from sequence
diagram and message response table.
• Generate a hierarchical MFG based on the message
connecting table and diagrams.
• Generate a set of independent message dependency
paths from MFG.
For any sequence diagram, it can be generated a message
flow graph (MFG) in the top level if assume there is no
internal investigation of any objects. However, if we need to
traverse the internal states for some message of some object,
the MFG will be hierarchical. For example, in Fig. 2, there
are 5 IDPs considering the hierarchy representation of node
N6.
6. Conclusion and Future Work
In this paper, we have presented a new strategy for class
integration testing that is based on a hierarchical approach
that combines information from sequence diagram and
statechart diagrams and converts into the form of a direct
flow graph based on message communication (MFG). The
motivation is to exercise class interactions in the context of
multiple state combinations in order to detect program
faults. Therefore, it takes into account the messages of all
objects involved in a communication to exercise class
interactions in the context of integration testing. For
instance, if the functionality provided by an object depends
on the message of other objects, then the proposed technique
can effectively detect faults occurring due to invalid object
messages.
Acknowledgment
Authors would like to thank all reviewers for their kind
comments and valuable suggestions.
Vol. 2, No. 9, September 2010
References
[1] Abdurazik and J. Offutt. Using uml collaboration
diagrams for static checking and test generation.
pages 383–395. Springer, 2000.
[2] J. H. Andrews. Is mutation an appropriate tool for
testing experiments. In In ICSE 05: Proceedings of
the 27th international conference on Software
engineering, pages 402–411. ACM Press, 2005.
[3] H. R. Asaadi, R. Khosravi, M. Mousavi, and N.
Noroozi. Towards Model-Based Testing of Electronic
Funds Transfer Systems, May 2010.
[4] R. V. Binder. Testing Object-Oriented Systems-
Models, Patterns, and Tools. Addison-Wesley
Professional, Novmember 1999.
[5] K. Bogdanov. Automated Testing of Harels
statecharts. PhD thesis, University of Sheffield, 2000.
[6] L. C. Briand, M. Di Penta, and Y. Labiche. Assessing
and improving state-based class testing: A series of
experiments. IEEE Trans. Softw. Eng., 30(11):770–
793, 2004.
[7] L. C. Briand and Y. Labiche. A uml-based approach
to system testing. In UML’01: Proceedings of the 4th
International Conference on The Unified Modeling
Language, Modeling Languages, Concepts, and
Tools, pages 194–208, London, UK, 2001. Springer-
Verlag.
[8] U. Buy, A. Orso, and M. Pezz. Automated testing of
classes. In Proceedings of the International
Symposium on Software Testing and Analysis, pages
39–48, New York, NY, USA, 2000. ACM Press.
[9] U. Buy, A. Orso, and M. Pezze. Automated testing of
classes. SIGSOFT Softw. Eng. Notes, 25(5):39–48,
2000.
[10] W. K. Chan, T. Y. Chen, and T. H. Tse. An overview
of integration testing techniques for object-oriented
programs. In Proceedings of the 2nd ACIS Annual
International Conference on Computer and
Information Science (ICIS 2002), pages 696–701.
2002.
[11] V. A. de Santiago Junior, M. Cristia, and N. L.
Vijaykumar. Model based test case generation using
statecharts and Z: A comparison and a combined
approach. Technical Report INPE-16677-RPQ-850,
2010.
[12] P. Frohlich and J. Link. Automated test case
generation from dynamic models. In ECOOP ’00:
Proceedings of the 14th European Conference on
Object-Oriented Programming, pages 472–492,
London, UK, 2000. Springer-Verlag.
[13] L. Gallagher, J. Offutt, and A. Cincotta. Integration
testing of object-oriented components using finite
state machines: Research articles. Softw. Test. Verif.
Reliab., 16(4):215–266, 2006.
[14] Hartman and K. Nagin. The agedis tools for model
based testing. SIGSOFT Softw. Eng. Notes,
29(4):129–132, 2004.
[15] J. Hartmann, C. Imoberdorf, and M. Meisinger.
UML-based integration testing. In ISSTA’00:
Proceedings of the 2000 ACM SIGSOFT
international symposium on Software testing and
78 (IJCNS) International Journal of Computer and Network Security,
analysis, pages 60–70, New York, NY, USA, 2000.
ACM.
[16] S. Kansomkeat and W. Rivepiboon. Automated-
generating test case using uml statechart diagrams. In
SAICSIT ’03: Proceedings of the 2003 annual
research conference of the South African institute of
computer scientists and information technologists on
Enablement through technology, pages 296–300, ,
Republic of South Africa, 2003. South African
Institute for Computer Scientists and Information
Technologists.
[17] S.-K. Kim, L.Wildman, and R. Duke. A uml
approach to the generation of test sequences for java-
based concurrent systems. In ASWEC ’05:
Proceedings of the 2005 Australian conference on
Software Engineering, pages 100–109,Washington,
DC, USA, 2005. IEEE Computer Society.
[18] Y. Kim, H. Hong, D. Bae, and S. Cha. Test cases
generation from uml state diagrams. Software, IEE
Proceedings, 146(4):187–192, 1999.
[19] Y. Kim, H. S. Hong, S. Cho, D. H. Bae, and S. D.
Cha. Test cases generation from uml state diagrams.
In In IEEE Proceedings: Software, pages 187–192,
1999.
[20] D. C. Kung, P. Hsia, Y. Toyoshima, C. Chen, and J.
Gao. Object-oriented software testing: Some research
and development. In HASE ’98: The 3rd IEEE
International Symposium on High-Assurance Systems
Engineering, pages 158–165, Washington, DC, USA,
1998. IEEE Computer Society.
[21] D. C. Kung, N. Suchak, J. Gao, P. Hsia, Y.
Toyoshima, and C. Chen. On object state testing. In
in Proceedings of Computer Software and
Applications Conference, pages 222–227. IEEE
Computer Society Press, 1994.
[22] D. C. Kung, N. Suchak, J. Gao, P. Hsia, Y.
Toyoshima, and C. Chen. On object state testing. In
in Proceedings of Computer Software and
Applications Conference, pages 222–227. IEEE
Computer Society Press, 1994.
[23] S. Li, J. Wang, and Z.-C. Qi. Property-oriented test
generation from uml statecharts. In ASE ’04:
Proceedings of the 19th IEEE international
conference on Automated software engineering,
pages 122–131, Washington, DC, USA, 2004. IEEE
Computer Society.
[24] W. Linzhang, Y. Jiesong, Y. Xiaofeng, H. Jun, L.
Xuandong, and Z. Guoliang. Generating test cases
from uml activity diagram based on gray-box method.
In APSEC ’04: Proceedings of the 11th Asia-Pacific
Software Engineering Conference, pages 284–291,
Washington, DC, USA, 2004. IEEE Computer
Society.
[25] V. Martena, A. Orso, and M. Pezz´e. Interclass
testing of object oriented software. In ICECCS ’02:
Proceedings of the Eighth International Conference
on Engineering of Complex Computer Systems, page
135, Washington, DC, USA, 2002. IEEE Computer
Society.
[26] A. V. Nori and A. Sreenivas. A technique for model-
based testing of classes. In Proceedings of the Second
Vol. 2, No. 9, September 2010
International Workshop on Software Engineering
Tools and Techniques, 2001.
[27] H. Reza, K. Ogaard, and A. Malge. A model based
testing technique to test web applications using
statecharts. In ITNG’08: Proceedings of the Fifth
International Conference on Information Technology:
New Generations, pages 183–188, Washington, DC,
USA, 2008. IEEE Computer Society.
[28] M. Scheetz, A. v. Mayrhauser, R. France, E.
Dahlman, and A. E. Howe. Generating test cases
from an oo model with an ai planning system. In
ISSRE ’99: Proceedings of the 10th International
Symposium on Software Reliability Engineering,
page 250, Washington, DC, USA, 1999. IEEE
Computer Society.
[29] S. K. Swain, D. P. Mohapatra, and R. Mall. Test case
generation based on state and activity models. Journal
of Object and Technology, 9(5):1–27, 2010.
[30] T. Tse and Z. Xu. Class-level object-oriented state
testing: A formal approach. Technical Report HKU
CSIS Technical Report TR-95-05, Department of
Computer Science, The University of Hong Kong,
1995.
[31] Q. ul-ann Farooq, M. Z. Z. Iqbal, Z. I. Malik, and M.
Riebisch. A model-based regression testing approach
for evolving software systems with flexible tool
support. Engineering of Computer-Based Systems,
IEEE International Conference on the, 0:41–49,
2010.
Authors Profile
Yujian Fu is an assistant professor at department of computer
science. Dr. Fu received the B.S. and M.S. degrees in Electrical
Engineering from Tianjin Normal University and Nankai
University in 1992 and 1997, respectively. In 2007, she received
her Ph.D. degree in computer science from Florida International
University. Dr. Yujian Fu conducts research in the software
verification, software quality assurance, runtime verification, and
formal methods. Dr. Yujian Fu continuously committed as a
member of IEEE, ACM and ASEE.
Sha Li is an associate professor at department of curriculum,
teaching and educational leadership, school of education of
Alabama A&M University. Dr. Sha Li received his doctorial
degree of educational technology from Oklahoma State University,
2001. Sha Li’ research interests include distance education,
instructional technology, instructional design and multimedia for
learning.
 (IJCNS) International Journal of Computer and Network Security, 79
Vol. 2, No. 9, September 2010

Performance Evaluation of Peer–to-Peer system in

Video on Demand with Load Sharing Scheduling
Algorithm
S.Nagaprasad1*, A.VinayaBabu2, K.Madhukar3, D.Marlene G Verghese4, V.Mallaiah1and A.Sreelatha5
1
Research Scholar, Dept. of CSE,
Aacharya Nagarjuna University, Guntur,
1
*nagkanna80@gmail.com
2
Professor, Dept. of CSE,
JNTU College of Engineering, Hyderabad,
avb1222@gmail.com
3
Professor, Nizam College, Osmania University, Hyderabad
mkatakam@osmania.ac.in
4
Associate Professor
Bhimavaram Institute of Engineering & Technology
Pennada, West Godavari
marlenedegala@yahoo.co.in
5
Student, Dept. of CSE,
JITS College of Engineering, Karimnagar,
sreelathu_alugoju@yahoo.com

Abstract: Peer-to-Peer (P2P) networks have been shown to be
a promising approach to provide large-scale Video on Demand
(VoD) services over Internet for its potential high scalability.
However, for a normal peer, how to efficiently schedule media
data to multiple asynchronous peers for VoD services in such
networks remains a major challenge. These systems
dramatically reduce the server loading, and provide a platform
for scalable content distribution, as long as there is interest for
the content. The main challenges reside in ensuring that users
can start watching a movie at any point in time, with small start-
up times and sustainable playback rates. In this work, we
address the challenges underlying the problem of near Video-
on-Demand (nVoD) using P2P systems, and provide evidence
that high-quality nVoD is feasible. In particular, we investigate
the scheduling problem of efficiently disseminating the blocks of
a video file in a P2P mesh-based system, and show scheduling
algorithm can provide significant benefits and the experimental
results will show that load sharing scheduling performs
significantly better than other dynamic algorithm, network
coding.
Keywords: Networks, VoD, nVoD, P2P.
1. Introduction
Video-on-demand (VoD) systems provide multimedia
services offering more flexibility and convenience to users
by allowing them to watch any kind of video at any point in
time. Such systems are capable of delivering the requested
information and responsible for providing continuous
multimedia visualization [5].
Currently, the traffic generated by P2P systems accounts
for a major fraction of the Internet traffic today, and is
bound to increase. The increasingly large volume of P2P
traffic highlights the importance of caching such traffic to
reduce the cost incurred by Internet Services Providers
(ISPs) and alleviate the load on the Internet backbone.
We are faced with a problem of delivering quality video
to a single receiver computer. In the streaming scenarios,
the entire video is not always available at every peer
machine and/or it would not be feasible to transmit the
entire video from a single peer ,for example, that would
overload a particular peer. The beauty of streaming is
obviously the fact that we don’t need to have the entire video
downloaded before the play out begins [6][10]. We can
simply split the video file, identify the peers that have the
segments of interest available, request these segments from
the peers, receive them and play them out.
An important requirement of a VoD service is scalability,
i.e., to be able to support a large number of users, as a
typical video stream imposes a heavy burden both on the
network and the system resources e.g. disk I/O of the server.
The multicasting paradigm has been proposed to address the
scalability issues. However, these systems require a
multicast-enabled infrastructure, which unfortunately has
never materialized. Peer-to-Peer networks promise to
provide scalable distribution solutions without infrastructure
support.
80
The difficulty lies in the fact that users need to receive
blocks “sequentially” in order to watch the movie while
downloading, and, unlike streaming systems, the users may
be interested in different parts of the movie, and may
compete for system resources. In other words, we assume
linear viewing, but we allow the users to join at arbitrary
times. The resources especially network bandwidth of the
server are limited, and hence users contribute their own
resources to the system. Users organize themselves in an
unstructured overlay mesh which resembles a random
graph. The goal then is to design a P2P system which meets
the VoD requirements, while maintaining a high utilization
of the system resources [10].
We study algorithms that provide the users with a high-
quality VoD service while ensuring a high utilization of the
system resources. We evaluate our algorithm such as
segment scheduling using both extensive simulations and
real experiments under different user arrival/departure
patterns. The results will show that load sharing scheduling
algorithm will be able to improve throughput for bulk data
transfer and scheduling that results in high system
throughput while delivering content “pseudo sequentially”,
to provide efficient VoD with small setup delays as
compared to other dynamic algorithms such as Segment
Scheduling and Network Coding[1][2][6].
In this paper we are implementing Scheduling which
takes Segment Scheduling in which the entire video is
divided into segments once the play out begins. It takes
video in the form of segments, define the segments, identify
the peers that have segments of interest available, request
these segments from the peers , receive them and play them
out. Load sharing Scheduling algorithm will improve
performance by increasing sender’s bandwidth, dividing
segments based on loads and the number of segments and
decreasing number of missed segments. Section 2 describes
Architecture of the peer to peer system with load sharing
scheduling algorithm. Section 3 describes brief description
of algorithm. Section 4 describes the implementation of the
whole algorithm, Section 5 describes simulations and
Section 6 presents our conclusion.
2. Architecture and Environment
P2P-VoD system has the following major components:
(a)A set of servers as the source of content (e.g., movies);
(b)A set of trackers to help peers connect to other peers to
share the same content;
(c) A bootstrap server to help peers to find a suitable tracker
(e.g. based on which geographical region the peer is
located), and to perform other bootstrapping functions;
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
(d)Other servers such as log servers for logging significant
events for data measurement, and transit servers for helping
peers in the system [11].
We assume a large number of users interested in some
video content, which initially exists on a special peer that
we call the server. Users arrive at random points in time,
and want to watch the video sequentially from the beginning
of the server are limited, and hence, users should contribute
their own resources to the system. The upload and download
capacities of the users are also limited and typically
asymmetric. A client joins the system by contacting a central
tracker. This tracker gives the client a small subset of active
nodes .The client then contacts each of these nodes and joins
the network. At any point in time, a node is connected to a
small subset of the active nodes, and can exchange content
and control messages only with them. We call this subset
the neighborhood of the node.The neighborhood changes as
a result of node arrivals and departures, and because nodes
periodically try to find new neighbors to increase their
download rates. We assume cooperative nodes. The file is
divided into a number of segments, which are further
divided into blocks. The system is media codec agnostic,
hence, nodes need to download all blocks; if a block is not
available when needed, the video pauses and this is
undesirable. Clients have enough storage to keep all the
blocks they have downloaded.
Our system divides the constant stream of data into
stripes to improve performance and robustness. In a peer-to-
peer system, the stream of data is dis-rupted whenever a
client leaves the system either due to a failure or a regular
disconnects. Since clients receive pieces of the content from
different senders, they can continue to receive some data
even if one of the senders disconnects. To further hide
disruption from the user, a client keeps a buffer of several
seconds of data. When a client reconnects after being cut off
from a sender, the buffer allows the video to play smoothly
as the client catches up on the data that was missed during
the disconnection. In a one-directional live video streaming
system, it is allowable for the video to be viewed a few
seconds after its creation.
Figure 1. System Architecture of Video on demand
 (IJCNS) International Journal of Computer and Network Security, 81
The goals of our system include the following:
• To ensure low set up time and a high sustainable
playback rate for all users, regardless of their
arrival time.
• We are also interested in increasing the total number
of blocks exchanged per round, which we call
throughput, and the total server bandwidth.
3. Related Work
The overall throughput improves if all the nodes seek to
improve the diversity of segments in the network. If the
segment policy is to upload a block from a lesser represented
segment whenever possible throughput improves
significantly for both existing and new nodes [15] [19].
We are faced with a problem of delivering quality video
to a single receiver computer. In the streaming scenarios,
the entire video is not always available at every peer
machine and/or it would not be feasible to transmit the
entire video from a single peer.
It is important that we provide a continuous supply of the
video segments once the play out begins. If only a few
segments are missing once in a while, the video quality will
still be acceptable by most standards. If too many segments
are missing the video and the audio quality will suffer and
the media will not be useful. A missing segment does not
always indicate network failure (due to congestion or
other problems). It may simply mean that the segment was
not available at the receiver’s media player at the time it was
supposed to be rendered, i.e. the segment deadline was
missed. The main problem that we are solving is creating a
schedule that minimizes the number of video segments
missing their deadlines [14][15][18][19].
Load Sharing Scheduling Algorithm provides track of
every sender’s estimated load. Before we can sort the list of
suppliers for segments, where segment has n potential
suppliers, we create a look-ahead estimated load, i.e. what
would be the load of each one of those potential suppliers if
segment s was to be assigned to them. Once we have these
look-ahead estimated loads, we can sort the list of potential
suppliers in the increasing order of the estimated load. Since
we do not have a guarantee that the supplier with the
smallest estimated load is suitable to deliver segments, we
iterate over the list of potential suppliers. Algorithm
minimizes the number of missed segments and the easiest
way to do this is to compare it against a couple of other
known scheduling algorithms and the results show that that
load sharing scheduling improves the throughput of the
system and decrease missed segments[20].
4. Load Sharing Scheduling Algorithm
Vol. 2, No. 9, September 2010
Our algorithm hinges on having a good estimate of how
well-represented a segment is. This estimate should include
nodes that have the complete segment, and those that have
partially downloaded the segment. In our implementation,
the tracker monitors the rarity of segments in the network.
Clients in our system report the fraction of blocks they have
received from each segment. Those fractions are used to
estimate the popularity of the segments; for example, a
segment is considered under-represented if the vast majority
of nodes have very few blocks from that segment [14] [15].
The primary objective of the scheduling algorithm is to
create a schedule such that all requested video segments are
delivered to the receiver before their respective deadlines. If
that is impossible to achieve given insufficient resources,
etc., we want to minimize the number of segments missed.
We also have two secondary objectives. We want to make
efficient use of the bandwidth and avoid transmitting
segments before they are required because there is no
guarantee that they will even be used. Finally, since we do
not want to overload any of the senders, we make sure that
the peers are load balanced. The sender for a particular
segment is selected based on the estimated load of each
sender. The estimated load of a sender is the amount of
work time spent transmitting segments that the sender has
assigned by the schedule at a particular instance of time.
The time it takes a particular sender to transmit a segment
depends on the segment size and the sender bandwidth. We
predict the load of each sender by temporarily assigning the
next scheduled segment to each sender. We select the sender
with the smallest predicted estimated load. This ensures that
the load is shared among all the senders. The proper
segment transmission start time is also most essential for a
successful schedule. We schedule each segment to arrive at
the receiver a fixed amount of time before its deadline thus
fixing the client buffer. This ensures the least amount of
bandwidth wasted on unsolicited video segments.
In situations where senders do not have all segments
available, we must make sure that we do not commit a
sender who is the only one that can deliver particular
segments to do work delivering other segments that could be
delivered by other senders. When determining the
appropriate peer to deliver a segment, we must therefore
examine the number of potential senders that have the
segment available. It is usually more difficult to meet the
deadline of a segment that has fewer potential suppliers [4]
[10] [14] [15]. For this reason, the algorithm first calculates
the number of potential suppliers for each segment and the
segments with least potential suppliers are scheduled first.
That is, the segments with one potential supplier are
scheduled first, then segments with two potential suppliers,
82 (IJCNS) International Journal of Computer and Network Security,
then three and so on. This is a potential area of improving
the algorithm in the future because it is not always necessary
to schedule the segments with the least potential suppliers
first. It is still possible to change segment scheduling order
from the order of the number of potential suppliers and still
create an efficient schedule where all segment deadlines are
met. The proper segment transmission start time is also
most essential for a successful schedule. We schedule each
segment to arrive at the receiver a fixed amount of time
before its deadline thus fixing the client buffer. This ensures
the least amount of bandwidth wasted on unsolicited video
segments [16] [18].
In the most general form we are given a set of n video
segments, S = {S1, S2, . . . , Sn}, with an associated set of
segment lengths, L = {L1, L2, . . . , Ln}, and a set of
segment deadlines, D = {D1, D2, . . . , Dn}. We also have a
set of m peers, P = {P1, P2, . . . , Pm} with an associated set
of peer bandwidths, B = {B1, B2, . . . , Bm}[20]. Finally, we
are given the set of segment ranges available at each peer.
Since typically peers hold contiguous ranges of segments,
we assume that the segment range at each peer is simply
given by the highest segment number available. We assume
that all segments with lower segment numbers are also
available at that peer. The set of available segments is given
by A = {A1, A2, . . . , Am}. We need to create a schedule J
where each segment has an assigned peer and transmission
start time such that the segment will be transmitted to the
receiver before its deadline. Since this may not always be
possible and missed segments must be taken into
consideration, we want to minimize the number of segments
that miss their deadlines. We have the additional constraint
that the schedule cannot exceed the incoming receiver
bandwidth.
Consider an instance of the segment scheduling problem
where we are given a set of n segments.
S = {S1, S2,..., Sn} and a set of m peers
P = {P1, P2,..., Pm}. We apply two restrictions:
1) There is only one sender peer available, i.e. m = 1.
2) The sender peer has all the segments available.
The segment transmissions are the tasks that need to be
scheduled. The release time of each segment transmission is
0. Since we only have one sender, clearly only one segment
can be transmitted at a time.
The execution length of each task is the segment
transmission time, which can be calculated from the
Segment length and the sender’s bandwidth. Every segment
still has a deadline. At this point, it should be obvious that
we have an instance of sequencing the Sender’s problem to
be solved by our Efficient Scheduling algorithm.
Increasing the average sender bandwidth has very little
effect on the execution time but a higher average sender
Vol. 2, No. 9, September 2010
bandwidth decreases the number of missed segments which
solves the problem of missing segments. It’s possible that
we will have any number of segments with n potential
suppliers; we must iterate over the list of segments with n
potential suppliers. If we have large-scale video, we can
simply split the video file into well defined segments,
identify the peers that have the segments of interest
available, request these segments from the peers receive
them and play them out. In situations where senders do not
have all segments available, we must make sure that we do
not commit a sender who is the only one that can deliver
particular segments to do work delivering other segments
that could be delivered by other senders.
The first task is to create the segment supplier table. The
reason for creating this table is to enable actual schedule
creation code to iterate the segments in the increasing order
of the number of segment suppliers. The Segment table
should fetch data in such a way that it can be easy to
retrieve. For every potential sender p for segment s, we must
confirm that the sender p is suitable to deliver segment s.
This means that sender p must be able to deliver segment s
before its deadline and it cannot overload the receiver, i.e.
the resulting bandwidth at the receiver must be ≤ maximum
Bandwidth. Secondly, we create schedule that minimizes the
number of video segments missing their deadlines.
Increasing the average sender bandwidth has very little
effect on the execution time but a higher average sender
bandwidth decreases the number of missed segments which
solves the problem of missing segments. It’s possible that
we will have any number of segments with n potential
suppliers; we must iterate over the list of segments with n
potential suppliers. This data is readily available from the
segment supplier table. For every segment with n potential
suppliers, we need to determine its sender and transmission
start time. Since we want to schedule the segments with
least potential suppliers first, we must iterate over the
collection of segment supplier table indices in the increasing
table index order. It’s possible that we will have any number
of segments with n potential suppliers; we must iterate over
the list of segments with n potential suppliers. This data is
readily available from the segment supplier table. For every
segment with n potential suppliers, we need to determine its
sender and transmission start time.
Here, schedule creation iterates the segments in the
increasing order of the number of segment suppliers. The
data is arranged in such a way that it is easy to retrieve. For
every potential sender p for segment s, we must confirm that
the sender p is suitable to deliver segment s. Then, the
segments are transferred from senders to the receivers with
the least segment first. The step 5-10 iterates the loop for
loading peers. The segments are then loaded at the client
 (IJCNS) International Journal of Computer and Network Security, 83
side with the increased bandwidth at the server side. The
bandwidth of client should not exceed the maximum
available bandwidth at Server side. Finally, the scheduled
peers are returned.
For every potential sender p for segment s, we must
confirm that the sender p is suitable to deliver segment s.
This means that sender p must be able to deliver segment s
before its deadline and it cannot overload the receiver, i.e.
the resulting bandwidth at the receiver must be ≤ maximum
bandwidth. As the initial guess, we set the start time to be
such that segment s will arrive at the receiver right before its
deadline and before we confirm this transmission slot for
segment s we must make sure that it doesn’t violate the
maximum bandwidth constraint.
Figure 2. Load Sharing Scheduling Algorithm Replication
Strategy of Segments
Assuming each peer contributes with some amount of hard
disc storage, a P2P storage system is formed by the entire
viewer population, each of them containing segments. Once
all the segments are available locally, the segment is
advertised to other Peers. The aim of replication strategy is
to make segments available to every user in the shortest time
possible in order to meet with viewing demands. Design
issues regarding replication strategies contemplate:
(i) Allowing multiple movies to be cached if there is room
on the hard disc. This is referred as multiple movie cache
(MVC); and lets a peer watching a movie upload a different
movie at the same time.
Vol. 2, No. 9, September 2010
(ii) To pre-fetch or not to pre-fetch;
while pre-fetching could improve performance, it could also
waste uplink bandwidth resources of the peer.
(iii) Selecting which segment or movie to remove when the
disc cache is full; preferred choices for many caching
algorithms are least recently used (LRU) or least frequent
used (LFU).
Content Discovery:
Together with a good replication strategy, peers must also be
able to learn who is holding the content they need without
introducing too much overhead into the system. P2P systems
depend on the following methods for content discovery:
(i) A tracker; to keep track of which peers are replicating
what part of the movie;
(ii) DHT; used to assign movies to trackers for load
balancing purposes.
Congestion Control
• Rate Control-Match the rate of the video stream to the
maximum available bandwidth thus reducing congestion
and segment loss. Without rate control segments which
would exceed the maximum bandwidth would be discarded.
This approach focuses on the transport concept.
• Rate-adaptive video encoding -Use compression to make
video feeds more practical and bandwidth efficient. This
approach focuses on the compression concept.
• Rate Shaping -This approach is a combination of the
previous two. The video feed is being re-coded with rate-
adaptive video encoding and rate control makes sure there is
no loss in segments.
5. Performance Evaluation
In this section we evaluate the performance of both
segment scheduling and load sharing scheduling algorithm.
Initially, we will present data that compares the segment
rate of both the algorithms. Then Load sharing Scheduling
algorithm will be compared with another dynamic
algorithm. And then the results will clearly show that load
sharing scheduling algorithm is better than segment
scheduling especially under the missed segments.
5.1. Simulation Set Up:
Matlab Software was used for all simulations. Along with
load sharing scheduling algorithm network coding and
segment scheduling will also be simulated for benchmark
comparison purposes. In general, the behavior of the
algorithms is rather intuitive. For all 3 algorithms,
increasing the number of senders has very little effect on
the execution time but having more senders’ decreases the
number of missed segments. Similarly, increasing the
average sender bandwidth has very little effect on the
execution time but a higher average sender bandwidth
84 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

decreases the number of missed segments. Finally, simulated scheduling algorithm with increased bandwidth
increasing the bit rate has similar effects, i.e. it has little on server side systems used in our experiments.
effect on the execution time but increasing the bit rate
increases the number of missed segments[11][13]. Table 1: System Parameters.
The parameters that we should vary include:
Parameters. Values
• Average segment size, i.e. video quality (bit rate) Segments 10
• Segment count (shorter vs. longer videos) Potential Suppliers 4
• Number of senders Bandwidth 100kbps
• Bandwidth of senders bandwidth1 80kbps
Deadline 60 seconds
• Receiver’s bandwidth
Size 250kbs
For each scenario, we should compare the results of each Available 2
algorithm according to the following criteria:
• Number of missed segments 5.2 Impact of missed Segments:
• Running time The Graph here shows the segment loss is less in load
In the current evaluation, the maximum receiver bandwidth sharing scheduling algorithm as compared to other dynamic
constraint has been ignored for all test cases. Since we are algorithms. Measuring the available bandwidth is of great
most interested in the effects of the bit rate on the number of importance for predicting the end-to-end performance of
missed segments and the algorithm execution time, most applications, for dynamic path selection and traffic
results provide an execution time or number of missed engineering, and for selecting between a numbers of
segments vs. bit rate graphs. More specifically, we plot the differentiated classes of service. The available bandwidth is
following result graphs: an important metric for several applications, such as grid,
a. Execution time/missed segments vs. time for varying video and voice streaming, overlay routing, p2p file
number of segments transfers, server selection, and inter domain path
b. Execution time/missed segments vs. time for varying monitoring. The overall throughput improves if all the
number of senders nodes seek to improve the diversity of segments in the
c. Execution time/missed segments vs. time for a varying network.
average sender bandwidth.
d. Missed segment and execution time algorithm
comparison graph.
On the other hand, increasing the number of segments
(video length) has little effect on the number of missed
segments or at least little effect on the bit rate at which the
number of missed segments starts to increases but in the
case of the segment scheduling algorithm, longer videos
take more time to schedule. This could possibly be caused by
the fact that those 2 algorithms are much faster than the
Load Sharing Scheduling algorithm and the inputs provided Graph1. Bit Rate v/s Time.
in the tests do not stress the algorithms enough to product From the above graph we can conclude that as the
trends in the execution time graphs. transmission time increases for the senders the amount of
When comparing the algorithms, the general trends data that can be sent through the sender of a particular
exhibited by all 3 of them are very similar. When comparing segment, the data rate of the segment decreases.
actual values, it becomes evident that the Load Sharing
Scheduling algorithm is superior to the other 2 when it
comes to minimizing the number of missed segments but in
most cases, this algorithm takes a lot to compute the results.
This table-1 summarizes various system parameters
which are included in the simulation calculation and the
system used for our experiments. Before presenting
empirical results, we present the simulation model as
follows. Table 1 summarizes the configuration parameters of
Graph 2. Time v/s Bit rate for varying Segments
 (IJCNS) International Journal of Computer and Network Security, 85
From the above graph we can conclude that as transmission
time increases for the senders the number of segments that it
can handle in any given time reduces and hence the bit rate
decreases.
5.3 Scalability:
Generally speaking, scalability can be defined as the
adaptability to changes in the peer-to-peer system size, load
extent and nature of the load. That is, the network load
should be distributed evenly among the peers, which means
that every peer should be aware of approximately the same
number of other peers. From the data it can be concluded
that our algorithm is more scalable than other dynamic
algorithm such as segment scheduling and network coding.
The second approach to deal with the scalability issue of
video streaming systems is to use P2P load sharing. “P2P
networking architectures receive a lot of attention nowadays,
as they enable a variety of new applications that can take
advantage of the distributed storage and increased
computing resources offered by such networks”. Their
advantage resides in their ability for self organization,
bandwidth scalability, and network path redundancy, which
are all very attractive features for effective delivery of media
streams over networks .Also the space is saved for the peers
as the replicas will be deleted.
6. Conclusion
The success of the peer-to-peer paradigm in both file
distribution and live streaming application derived in the
adoption of this technology for the delivery of video-on-
demand content. Fast response time is a technology factor
that end-users demand. Considerable research has been
performed to find better ways to arrange data such that fast
response time can be achieved by increasing throughput and
maximum bandwidth with low startup delay. Load sharing
scheduling is better for improving the performance of peer-
to-peer systems. Though further work is required towards a
better understanding of the efficacy of our algorithms in
more realistic scenarios, we believe that the guidelines
proposed in this paper can be used to build high-
performance P2P VoD systems. Thus, high quality VoD is
feasible with high playback rates.
Our system was designed to guarantee that the video
starts playing shortly after the beginning of the download,
and progresses without interruptions until the end of the
movie. While we have made an implicit assumption that
users watch the entire video linearly, we believe that the
same principles used in our system could be extended to
support non-linear viewing, i.e., where users would be able
to start watching from arbitrary points in the video and
perform fast forward and rewind operations. However, if the
user desires to watch a part of the video that is not available
Vol. 2, No. 9, September 2010
locally, then the user will suffer a (moderate) waiting time
as the system searches for segments of peers to download the
desired content from.
References
[1] Gnutella, “http://gnutella.wego.com/”.
[2] Y.-H. Chu, S. G. Rao, and H. Zhang, “A case for end
system multicast,” in Measurement and Modeling of
Computer Systems, 2000.
[3] B. Cohen, “Incentives Build Robustness in BitTorrent,”
in Workshop on Economics of Peer-to-Peer Systems,
2003.
[4] V. Agarwal and R. Rejaie. Adaptive Multi-source
Streaming in Heterogeneous Peer-to-Peer Networks In
MMCN, 2005.
[5] Y. Huang, Tom Z.J. Fu, Dah-Ming Chiu, J.C.S. Lui, and
C. Huang, “Challenges, design and analysis of a large-
scale p2p-vod system,” Proc ACM SIGCOMM 2008, pp.
375-388, 2008.
[6] X. Zhang, G. Neglia, J. Kurose, and D. Towsley. On the
benefits of random linear coding for unicast applications
in disruption tolerant networks. Second Workshop on
Network Coding,Theory, and Applications (NETCOD),
2006.
[7] Wikipedia, P2P http://en.wikipedia.org/wiki/P2P,
accessed 20/11/2006.
[8] M. R. Garey and D. J. Johnson, Computers and
intractability: a guide to the theory of NP-completeness.
New York: W.H. Freeman, 1979.
[9] C. Gkantsidis, J. Miller, and P. Rodriguez,
“Comprehensive view of a live network coding P2P
system”, in Proc. ACM SIGCOMM/USENIX IMC’06,
Brasil, October 2006.
[10] S. Deering and D. Cheriton, “Multicast routing in
datagram internetworks and extended LANs”, ACM
Transaction on Computer Systems, vo. 8, no. 2, pp. 85-
110, May 1990.
[11] S. Banerjee, B. Bhattacharjee, and C. Kommareddy,
“Scalable application layer multicast”, in Proc. ACM
SIGCOMM’02, Pittsburgh, PA, August 2002.
[12] M. Castro, P. Druschel, A.-M. Kermarrec, A. Nandi,
A. Rowstron and A. Singh, “SplitStream: High-
bandwidth multicast in cooperative environments”, in
Proc. ACM SOSP’03, New York, USA, October 2003.
[13] S. Acendanski, S. Deb, M. Medard, and R. Koetter,
“How good is random linear coding based distributed
networked storage?,” in NetCod, 2005.
[14] PPLive internet site. http://www.pplive.com.
[15] Xiaojun Hei, Chao Liang, Jian Liang, Yong Liu and
Keith Ross, "Insight into PPLive: A Measurement Study
86 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

of a Large-Scale P2P IPTV System", Proc of WWW

2006 workshop of IPTV services over World Wide Web.
[16] “PeerSim P2P Simulator,” 2005, accessed 01-May-
2006. [Online]. Available:
http://peersim.sourceforge.net/.
[17] [Agr02] R. Agrawal and V. Subramanian, “Optimality
of Certain Channel Aware Scheduling Policies,” Proc. of
2002 Allerton Conference on Communication,Control
and Computing, Oct. 2002.
[18] J.A. Pouwelse, J.R. Taal, R.L. Langendijk, D.H.J.
Epema,, “Real-time Video Delivery using Peer-to-Peer
Barterin Networks and Multiple
DescriptionCoding”http://ishare.ewi.tudelft.nl/public/Po
uwelseTaal_SMC2 004.pdf.
[19] R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung,
“Network information flow,”
[20]H. Kopetz. Real-time systems-design principles for
distributed embedded applications. Kluwer Academic
Publishers, 1997.

Authors Profile

S.Nagaprasad Sri. Received the Bacholar

of Computer Applications (B.C.A.) From
Osmania University, Hyderabad, in 2001,
M.Sc (I.T.) From Sikkim Manipal
University, Manipal in 2003 and M.Tech
(C.S.) From Allahabad Agricultural
University, Allahabad in 2005. Presently
Pursing Ph.D in Computer Science &
Engineering from Aacharya Nagarjuna University, Guntur.

Prof. A.Vinay Babu obtained his

Bachelors degree in Electronics &
Communication Engineering from Osmania
University. Has duel Masters degree, one in
Computer Science & Engg and the other
one is in ECE from JNTU. He obtained his
PhD from JNTU, Hyderabad. His research
area is Data Mining and Image processing.

Prof. K.Madhukar received his Masters

in Engineering Physics and Instrumentation
from Osmania University in 1980 and PhD
from Osmania University in 1989.
Presently he is Professor and Head Dept of
Physics and Electronics, Nizam College,
Osmania University, Hyderabad. He
worked as ICT4D programme specialist in
United Nations Development Programme
(UNDP) for more than four years. His research area is Data
mining, Knowledge Discovery and Networks. Eight students
working for their doctorial degree under his supervision.
 (IJCNS) International Journal of Computer and Network Security, 87
Vol. 2, No. 9, September 2010

Data Aggregation Trees based Algorithm using

Genetic Algorithm in Wireless Sensor Networks
Mehdi Dabbaghian1, Abolfazl Kalanaki2, Hamed Taghvaei3, Faezeh Sadat Babamir 4 and Seyed Mehrdad
Babamir5
1
Islamic Azad University Abhar Branch,
Member of Young Researchers Club, Abhar Branch, Abhar, Iran
m.dabbaghian@engineer.com
2
University of Tehran,
Faculty of Management, Tehran, Iran
info@kalanaki.com
3
Islamic Azad University Arak Branch,
Arak, Iran
taghvaei24@ymail.com
4
Shahid Beheshti University of Tehran,
Evin 1983963113, Tehran, Iran
f.babamir@mail.sbu.ac.ir
5
Sharif University of Technology,
Electrical Engineering Faculty, Tehran, Iran
smbabamir@ee.shrif.ir

redundant ones then aggregate them according to the data

Abstract: This study investigates balanced and energy efficient
data collecting spanning tree in order to propose Genetic
Algorithm (GA) based approach. Optimum solution from GA,
consumes lowest possible energy to transmitting data from
random placed nodes to the Base Station (BS). As a result,
monitoring and sending data are intensively energy consuming.
Using an algorithm which is able to balance residual energy
among nodes can help the network to withstand more and
consequently extend its own lifetime. The GA and data
aggregation tree simulation shows that balancing operation
practically increases the network lifetime.
Keywords: Wireless Sensor Networks, Data Aggregation,
Genetic Algorithm
1. Introduction
Now-a-day, wireless sensor network are appeared every
where especially in ubiquitous and pervasive applications.
These kinds of networks consist of number of small, low
power, certain communication range sensing nodes which
cooperatively monitor environment and transmit data to the
Base Station (BS) or sink. This task is seriously energy
consuming so that due to limited power nodes, intelligent
data dissemination with energy efficient protocols are
attended. The lifetime of network is defined as exchanged
message toward sink with a network in which has minimum
required active nodes [1]. Intelligent optimum energy
consumption protocols can extend the network lifetime and
consequently withstand long transmission periods.
In this study, sensor nodes monitor data and remove
aggregation spanning tree and just then they send packet
data to the appropriate neighbors. BS is a powerful station
which has connection between WSN and IP network. The
proposed technique would be suitable for a homogeneous
WSN with some spatial correlation in the collected data.
Genetic Algorithm (GA) is classified as heuristic functions
which can obtain optimum solution, using investigating
search space. In this paper, a GA based algorithm is used to
create an efficient data aggregation tree in which any node
has value property. Consequently, any chromosome consists
of some genes or nodes that index of gene indicates the node
and corresponding value identifies parent node. We apply,
single point crossover to generate future population where
corrupted individuals are distinguished by selection process.
The fitness function assigns individuals suitable value on
the basis of residual energy, number of transmission and
receive data packet. Number of iteration and population size
determined according to the network size.
Following, we organize the paper with section 2: brief
description of literature, section 3: problem discussing,
section 4: giving more detail about usage of GA to create
data aggregation tree, section 5: providing simulation results
and finally, section 6: conclusion and future work.
2. Related Work
During 2000’s, there are many researches have been
devoted. For instance, Kalpakis et al. [2] propose MLDA
(Maximum Lifetime Data gathering Algorithm). In fact,
MLDA finds edge capacities that flow maximum
88 (IJCNS) International Journal of Computer and Network Security,
transmission by running a linear program. This algorithm is
able to maximum lifetime of network with certain location
of each node and base station.
One year later, Dasgupta et al. [3] extend MLDA with
applying cluster based heuristic algorithm called CMLDA
where nodes are grouped into several clusters with pre-
defined size. The energy summation of cluster member
nodes is their cluster’s energy. The distance between
clusters is computed by maximum distance between every
pair of nodes of two clusters. From cluster formation on
then, MLDA is applied.
Ten at al. [4] study two spanning tresses so that aggregate
scheme and data gathering have been applied to extend
network lifetime. In this paper, generally, two methods are
considered to manage power among nodes. The first, power
aware version (PEDAP) which have an attempt to extend
lifetime, balancing the energy consumption among nodes,
unlike second method, PEDAP, non power aware version
which minimizing the total energy consumed from the
system in each data gathering round [1]. This method
extends the lifetime of the last node. The edge cost is
calculated in different ways. In PEDAP, edge cost is the
same summation of energy mounts for transmission and
receiving while PEDAPPA, dividing PEDAP edge cost with
transmitter residual energy results asymmetric
communication costs. A node with higher cost is considered
later in the tree as it has few incoming. After determining of
edge costs, Prime’s minimum spanning tree rooted at the
BS, will be formed for routing of packets. This calculation is
computed per every 100 iterations. Being active for all nodes
and awareness of node locations at the BS also are their
assumptions.
Jin et al. [5] utilize GA to fulfill energy consumption
reduction. This algorithm gets a primary number of pre-
defined independent clusters and then biases them toward
optimal solution with minimum communication distance by
the iterations of generation. They come to conclusion that
the number of cluster heads is reduced about 10 percentage
of the total number of nodes. They also show cluster based
methods decrease 80 percentage of communication distance
as compare to direct transmission distance.
In 2005, Ferentinos et al. [6] improve the proposed Jin et al.
algorithm with extended fitness parameter. They investigate
energy consumption optimization and uniformity
measurement point, using a fitness function involved status
of sensor nodes, network clustering with the suitable cluster
heads, and also the selection between two signal ranges
from normal sensor nodes.
3. Problem Statement
In this study, we suppose that every node firstly has pre-
defined energy for receiving multi data packets as it is able
to monitor environment in addition to transmit children
packets as well as sending single one to parent or BS. This
task periodically will be continued as long as possible.
In our algorithm, at first, all nodes send a sample certain
packet to the BS once they are at ready. Just then minimum
Vol. 2, No. 9, September 2010
spanning tree or the same an aggregation tree rooted at BS
is formed. In this paper, the network lifetime is credited
until all nodes are active.
4. Genetic Algorithm
In this study, GA is applied in order to obtain balanced and
energy efficient spanning trees. Every chromosome
represents a tree where gene index indicates node and
contained value point out corresponding parent. Using
standard GA, the optimum minimum spanning tree will be
resulted.
4.1 Gene and Chromosome
A chromosome is the collection of genes or nodes which
have fixed length according to the number of former nodes.
3 0 5 1 2 0
1
5
0
2
4 3
Figure 1. Chromosome and corresponding Tree Example
4.2 Crossover
The main step to produce new generation is crossover or
reproduction process. In fact, it is a simulation of the sexual
reproductive process that the inheritance characteristics
naturally are transferred into the new population. To
generate new offspring, crossover selects a pair of
individuals as parents from the collection formed by
selection process for breeding. This process will continue
until the certain size of new population is obtained. In
general, there are various crossover operations which have
been developed for different aims. The simplest method is
single-point in which a random point is chosen whereby two
parents exchange their characteristics. Table 1 shows an
example of mating of two chromosomes in single point way.
Table 1: Single point method at random point 6
First Second
Parents 101101’01101101 011110’10001011
Offsprin 101101’10001011 011110’01101101
g
4.3 Fitness Function
Fitness function is a procedure which scores any
chromosome. This value helps us to compare the whole ones
to each other to survival or death. Below, we propose a
fitness function where N is the number of nodes and setup
energy is considered for calculating electrical power.
Echildren is required energy to sending data packet received
from children.
 (IJCNS) International Journal of Computer and Network Security, 89
ETotal = ESend + EMonitor + EChildren + ESetup
(1)
ETotal
F (i ) =
N
Above, we try to compute average energy mount with
division to the number of nodes. Each individual is assessed
by selection function where the better fitness value; the more
chance to participate in the next generation.
5. Simulation
5.1 Network Properties
The simulation parameters for the experienced sensor
network are: 1) The network dimension is 100*100 m2, 2)
Initial energy of each node is .8 J, 3) Random nodes
placement is considered, 4) Each tree is used just for 15
periods, 5) each scenario is simulated for 5 times that
average one is reported 6) BS is situated at the center of
resource 7) Wireless sensor network simulator, a free
software is utilized for simulation.
5.2 Genetic Algorithm parameters
The simulation for our heuristic algorithm is as follows: 1)
Population size is 500 equal to network nodes, 2) number of
generation is 200, 3) mutation and crossover rate is 0.7.
Figure 2 represents the network under experience in early
setup where little white point is the data packet while they
are transmitting among nodes and green circles are active
nodes at that moment. The light ones are transmitting while
dark ones transmitted at this near time.
Hereinabove shows the network with fewer active nodes but
it is not out of order as the required paths for transmitting
are credited.
At last, Figure 4 indicates our experienced network at its
later lifetime. According to this fig, just a few nodes are
valid for transmitting children and monitored data. In this
status, the network is being to be out of order.
Figure 2. Network status in early setup
Figure 3. Failing some nodes after several periods
Vol. 2, No. 9, September 2010
Figure 4. Network status in later lifetime
As a result, these figures indicate that using proposed
algorithm, the network has most withstanding to transmit
data packet, as minimum spanning tree intelligently selects
an affordable routing leading to extend lifetime.
6. Conclusion
According to the simulation, we came to conclusion that
proposed algorithm extends network lifetime as compared to
PEDAPPA. In future, the fitness function and other GA
parameters can be improved to present more efficient
algorithm. Furthermore, we would like to investigate tree
which can efficiently adapt with network structure.
References
[1] O. Islam, S. Hussain, and Haiyi Zhang, “Genetic
algorithm for data aggregation trees in wireless
sensor networks,” In Proceedings of 3rd International
Conference on Intelligent Environments, pp. 312-316,
September 2007.
[2] K. Kalpakis, K. Dasgupta, and P. Namjoshi,
“Maximum lifetime data gathering and aggregation in
wireless sensor networks”, In Proceedings of IEEE
International Conference on Networking, pp. 685–696,
August 2002.
[3] K. Dasgupta, K. Kalpakis, and P. Namjoshi, “An
efficient clustering-based heuristic for data gathering
and aggregation in sensor networks”, In Proceeding of
IEEE Wireless Communications and Networking
Conference, pp. 1948 - 1953 vol.3, March 2003.
[4] H. O. Tan and I. Körpeoğlu, “Power efficient data
gathering and aggregation in wireless sensor
networks”, In SIGMOD Rec, Volume 32, Issue 4,
pp.66–71, 2003.
[5] S. Jin, M. Zhou, and A. S. Wu, “Sensor network
optimization using a genetic algorithm”, In
Proceedings of the 7th World Multiconference on
Systemics, Cybernetics and Informatics, pp. 1031-
1051, Nov 2003.
[6] K. P. Ferentinos, T. A. Tsiligiridis, and K. G.
Arvanitis, “Energy optimization of wirless sensor
networks for environmental measurements”, In
Proceedings of the International Conference on
Computational Intelligence for Measurment Systems
and Applicatons (CIMSA), pp. 250 – 255, July 2005.
90 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Cloth Deformation Simulation Based on a

simplified mass-spring model
Yao yu-feng 1, Xia kai-jian 2 and Zhou jin-cheng 3
1
Changshu Institute of Technology ,Computer science and Engineering College,
Suzhou Jiangsu china,215500
fengsingal81@gmail.com
2
Changshu Institute of Technology ,Computer science and Engineering College,
Suzhou Jiangsu china,215500
xiakaijian@163.com
3
Department of Mathematics, Qiannan Normal College for Nationalities,
Duyun Guizhou 558000
guideaaa@126.com

kinds: shear spring, structural spring and bending spring[4]

Abstract: Simulating the motion of cloth is an important part
in virtual simulation. The computational costs are still high. in the mass – spring model. The mass – spring model is
Cloth deformation simulation is an important research topic in simplified to avoid the disadvantage of the complex
the Computer Graphics. This paper presents a physics-based algorithms and the high computation cost which is
simulation of cloth deformation model approach, using a generated in seeking the physical reality. In this paper the
simplified mass-spring model for the cloth-object. To cope with mass-spring model is simplified and use a simple and
requirements such as real-time and stability in cloth effective display Euler integration method to Simulate the
deformation, this paper makes the mass-spring model simple. swung states more realistic and more quickly. This method
The dynamic equation of the cloth-object model is worked out by greatly improves the calculation efficiency and is good at the
the Euler integration method. Experimental results show that stability and real-time, and is easy to implement.
the model creates realistic simulations good stability, easy to
implement.
2. Creating the Model
Keywords: Cloth deformation; mass-spring model; Euler
integration method; collision detection. The mass-spring model is composed of m × n mass
virtual network, the relationship between the masses is
1. Introduction mainly transmitted through the spring, each mass is
connected to the adjacent mass by the spring whose quality
The real time simulation of the cloth has been widely is zero. The spring is divided into three kinds: shear spring,
used in film、 television and network games currently. It structural spring and bending spring in the adjacent mass-
makes a lot of animators to work less from the heavy works. spring model. Shown in Figure 1. Figure 1a shows the basic
As a classic soft objects[1],Cloth shows thin shape, good mass-spring model, Figure 1b is the structural spring,
shape variability. The shape can be changed according to Figure 1c is the shear spring, and figure 1d is the bending
the shape of its attached surface. At the same time, it can be spring. We can simulate all kinds of cloth deformation by
swung and deformed by the external forces (such as wind). using these three springs.
How to simulate the cloth truly has been a hot area of
research. But currently available simulation methods have
many problems in solving real time and stability at the same
time. So this is the bottleneck to use this technology to
application.
Animation technology based on physical models has been
considered the attributes of the real world object, such as its
quality, inertia moment, spring, friction and so on, and (a)basic mass-spring model (b)structural spring
automatically generates the original object with dynamic
movement, generate the movement by using dynamic
theory.
Cloth-object Simulation model Based on the physical
method-mass-spring[2],[3] is used widely as its model is
easy to use and the algorithm is easy to implement. In this
(c) shear spring (d) bending spring
paper the cloth is based on the mass-spring model and
Figure 1. the mass-spring model and the three kinds of
regarded as the grid system which is composed by the
spring type
masses and the spring which connects between the masses.
In order to meet the cloth physical properties of the
nonlinear stress-strain. The spring is divided into three
 (IJCNS) International Journal of Computer and Network Security, 91
Vol. 2, No. 9, September 2010

The mass-spring model is simplified in this paper, we In the dynamic simulation of the cloth, the damp force is
Pi, j+1 Pi+1, j Pi, j Pi +1, j+1 Ft
know that spring and are the shear necessary for maintaining the system stability, the di (the
spring in Figure 1a. It is proved by the experiment that two damp force of all masses j that are the neighboring masses
shear springs do not have much affection for the of the mass i at the cloth surface) expression is as follow：
performance of the system instead of one shear spring. n
Therefore we reduce one shear spring to simplify the model, Fdit = ∑ d ij (vi − v j )
figure 2 is the simplified mass-spring model. j =0
（2）
t
F is the damp force, d i , j is the coefficient of elasticity
di

of the spring between the mass i and its neighboring mass

vj
j, vi is the speed of the mass i, is the speed of the mass j,
t is the current time step.
3.2 external forces
Figure 2. the simplified mass-spring model
There are many kinds of external forces including the
forces of the gravity and the wind (the system only considers
3. Analysis of Model stressing the forces of the wind and the gravity, does not consider the
In the model, the cloth is described by using the impact of other external forces).
simplified mass-spring model, The model is consisted of a 1.The force of the gravity
number of virtual masses of the triangle mesh, each mass The force caused by the attraction of the Earth is called
connects to its adjacent mass. The movement of each mass the force of the gravity. The gravity at the same point on the
is determined by the sum of the external forces and internal earth is directly proportional to the quality of the object. The
forces. The internal forces are spring force and damp force Fgit
between the masses, the external forces are the force of gravity of the mass i on the cloth surface is:
gravity and wind. Mass should show the cell movement F = mi g
t
gi
（3）
which is represented by it. The movement effect of all t
masses represents the deformation shape of the entire cloth. F gi m
is the gravity of the mass i at the time t, i is the
The following is the analysis of the force of cloth. quality of the mass i, g is the acceleration of gravity, it is a
3.1 internal forces constant.
1.spring force 2.The force of the wind
In order to simulate cloth deformation， supposed that Aerodynamics and hydrodynamics [7]gives the flow of air
movement, The computational complexity of this type of
any two masses on the cloth surface are connected by spring,
applications is often prohibitively large. A flow of wind is
a mass can produce forces of the opposite direction and
designed to simplify the computation complexity and satisfy
same direction to its neighboring mass .The spring force is
the physical reality. The flow has a parallel direction, and
adopted to the Hooke's Law. supposed that there is a spring
ignores the changes when the wind collide the cloth. So the
connected the mass i and its neighboring mass. According
Ft Fwit is:
force of the wind
to Hooke’s Law, force si is directly proportional to the
length changes of the spring [5],[6]: Fwit = kw (vw − vi ) （4）
( x j − xi ) t
Fsit = ki , j (| x j − xi | −li0, j ) F wi is the force of the wind of the mass i.
kw is the
| x j − xi |
(1) vw is the speed of the
t coefficient of the force of the wind.
F si v
is the spring force between the mass i and its
wind. i is the speed of the mass i. In the actual scenario,
k some masses on the cloth surface are blocked, so there are
neighboring mass j， i , j is the coefficient of elasticity of
no wind effect on these masses.
the spring between the mass i and its neighboring mass j，
According to Newton's Second Law of Motion, the total
xi and x j is the location of the mass i and its neighboring Fi t is:
force of the mass i at the time t
l0 Fi t = F sit + Fdit + Fgit + Fwit
mass j, i , j is the initial length of spring, t is the current （5）
time step. The mass has forces which are the same direction
and opposite direction to its neighboring masses. So the
4. Explicit Euler integration method to solve
Fi t, j the dynamic equation
force of one mass is , then the force of its neighboring
−F t
i, j This section mainly uses explicit Euler integration
mass is .
method[8],[9] to solve the mass-spring model.
2、damp force
92 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Fi n Collision detection is simple by using this method, but

vin+1 = vin + ∆t ⋅ there are some problems, when the cloth grid is sparse, Even
mi (6) the mass is outside of the geometrical object, the infiltration
n +1 n +1 can occur. For solving this problem, the expansion avoiding
xi = x + ∆t ⋅ v
n
i i (7) method[10]is given, that is increasing a bounding layer in
This method needs to store two variables for each mass. the outer surface of the ball, which is to increase the radius
They are current speed and position. Through calculating of the sphere, this can be effective to avoid the
the time step ∆t ,new speed and position can be calculated infiltration phenomena.
by equation（6）and（7）. This method is simple and When the collision detected, the system should respond
computing quickly and good at parallelism. But it needs the timely for realistic simulations. Equation (10) shows that the
time step ∆t small enough to guarantee the stability of the
Euler integration method does not solve the system
equations by using the speed variable, so the system
algorithm. The external forces (the force of the gravity and
calculates fast, and can remain stability.
the wind) are relatively small in the model, so this issue will
not affect the result of simulation.
Judging from the general system, the position of the 6. The simulation results
masses of the cloth is moving fast, so it would lead to
instability occurs such as collision reaction. To solve this 6.1 The work flow
problem, a simple method is proposed, that is modifying the The simulation for the cloth collision essentially is to
value of the speed after each time step: determine the coordinate’s information about the mass
x in − xin −1 position on the cloth at each time step. The position is
v =
n
mainly influenced by the external forces and internal forces.
∆t
i
（8） The work flow for the cloth deformation simulation is
Equation (8) shows that, the speed of the mass is shown in figure 3：
calculated by the position movement. So the position
movement can directly affect the speed at the next time step,
and this method can enhance the stability of the numerical
integration algorithms. Substitute equation (6) into equation
(7)：
n +1 Fi n
xi = x + ∆t (v + ∆t ⋅
n
i
n
i )
mi （9）
Substitute (8) into (9)：
Fi n
xin+1 = 2x in − xin−1 + ∆t 2
（10）
mi
The mass position can be calculated at any time step
according to equation (10).

5. Collision detection and treatment

In real time simulation, only consider the collision
between the cloth and the shape object, collision detection
can be implemented by calculating the distance between the
objects. In the experiment, calculate the distance to judge Figure 3. cloth simulation flow chart
whether the collisions occur between the cloth and 6.2 Experiments and Results
the geometrical object, or whether the infiltrations into the
We implement the simplified mass-spring model on PC
object occur.
In the following collision detection experiment, use Point which is P4 T2310 1.86G, 2GRAM, Inte182865G graphic
to Plane model to carry out the collision detection. In the cards, and based on the OpenGL graphics library, using the
experiment, given a rigid geometric sphere, the coordinate VC + + as a development environment. As the mass-spring
model is a simplified physical model which is discrete, the
of the mass is( x, y, z ),supposed the coordinate of the center
r simulation results can only be a degree of approximation.
（ a, b, c） , n is the surface normal vector,
of the sphere is We have detected the collision that the cloth is draped.
d between The collision object is a red ball, simulate the masses of the
the radius of the sphere is r ，then the distance
cloth and draping cloth. The following figures show
the center of the sphere and the mass is:
experimental results by using different parameters. Figure
d = (x - a) 2 + ( y − b) 2 + ( z − c ) 2 4（a）is the result of the draping cloth, the red dots on the
（11）
cloth are the masses of the model. Figure 4（b）is the result
If d < r the infiltration would occur； when the collision occurs. Figure 4（c）and （d）are the
If d ≥ r the infiltration would not occur； result without masses.
 (IJCNS) International Journal of Computer and Network Security, 93
Vol. 2, No. 9, September 2010

The Journal of Visualization and Computer

Animation.2001,12:1-12.
[9] Jin Bi-peng.Research on the computer real-time
animation[D].HeFei:University of Electronic Science
and Technology of China,2007.
[10] Wang Jian-chun,Hu Xin-rong,Wang Hui. Simulation
Technology of Cloth Modeling Based on Mass Spring
Model [J]. Journal of Wuhan University of Science and
(a)draped cloth (b)cloth deformation when the Engineering. 2008,21(9):6-8.
collision occurs

Author Profile
Yao yu-feng received the M.S. degrees in
Computer science and technology from
Beijing University of posts and
telecommunication in 2008. Then works as
an teaching assistant at Changshu Institute
(c) draped cloth (d) cloth deformation when the collision of Technology ,Computer science and
occurs（ without masses） Engineering College .
Figure 4. experimental results

7. Conclusions
In this paper, we present a mass-spring model to simulate
the cloth deformation, and use simplified mass-spring model
when create the model of cloth, and decrease some shear
springs. The computation performance is highly improved
by using this model. The dynamic equation of the cloth-
object model is worked out by the Euler integration method.
The collision between the cloth and object is also
considered. Experimental results show that the model
creates realistic simulations good stability, easy to
implement.

References

[1] NGNH， GRIMSDALE R L. Computer graphics

techniques for modeling cloth[J]． IEEE Computer
Graphics and Applications， l996,16-36．
[2] Bridson R, Marino S, Fedkiw R. Simulation of clothing
with folds and wrinkles[C]. Proceeding of the 2003
ACM SIGGRAPH/Eurographics Symposium on
Computer Animation, San Diego， 2003,28-36.
[3] Xia kai-jian, Wang shi-tong. [J]. computer engineering
and applications， 2009， 45(29):177-179.
[4] Li Jian, Li Peng-kun, Liao Qiu-jun. Cloth simulation
based on improved mass-spring model[J].journal of
computer applications， 2009， 29(9):2386-2388.
[5] Ning Song, Lin mu-hua, Liu Jiao. A quick cloth
simulation based on physical modeling[J]. Computer
Simulation， 2006， 12（ 23） ： 118-121
[6] Jaruwan M, Ratan G, Shafaq C. 3D Soft Body
Simulation Using Mass-spring System with Internal
Pressure Force and Simplified Implicit Integration[J].
Journal of Computers. 2007,2(8):34-43.
[7] Li Chang-feng, Xiu Yi. Cloth 3D dynamic deformation
[J]. CAD&CG,2006,18(9):1372-1376.
[8] MEYER M, DEBUNNE G, BARR A. Interactive
animation of cloth-like objects for virtual reality[J].
94 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

The Performance Analysis for MAP Selection

Scheme of Hierarchical Mobile IP Networks
Shan Zhong 1, Jin-yi CHANG 1, Dan Zhao 2 and Hong Zhao 3
1
School of Computer Science and Engineering, Changshu Institute of Technology,
Changshu 215500, China
sunshine-620@163.com
2
Zhe Jiang Yinjiang Electronics Co., Ltd.,
Hangzhou 310023, China
denisejob@163.com
3
College of Computer Science and Technology, Zhejiang University of Technology
Austria Hangzhou, China
z.ke.jia@163.com

protocol is used when it is moving in domain. A new node

Abstract: To provide more flexibility to end-users and achieve
better mobility management (MN), the concept of mobility
anchor point (MAP) was introduced. How to select an
appropriate MAP for MN has an important effect on the total
signaling overheads and network performance in Hierarchical
Mobile IP networks. This paper introduces two types of MAP
selection methods which include static and dynamic programs,
and lists out several existed schemes such as the nearest
selection scheme, the farthest selection scheme, the selection
scheme based on mobility characteristic and the adaptive
selection scheme. Finally we get a conclusion through the
compare for the four schemes.
Keywords: Mobile IP; Hierarchical; Mobility; MAP.
1. Introduction
With the development of internet and wireless access
technologies, more and more users hope mobile devices such
as mobile phone and PDA can access to internet in casual.
The appearance of Mobile IP satisfies this need, and it is a
mobility management scheme for all the world worked out
by IEIF and has been a hot research area [1] [2]. The protocol
can insure route to the mobile host regardless of the access
point on the internet, two functional agents such as Home
Agent (HA) and Foreign Agent (FA) are used, and location
update and tunnel mechanism are used to rout the packet
between them, but the main problem of IETF Mobile IP is
the frequent position announce results in the high signaling
overhead. When the MN (mobile node) changes CoA (Care
of Address), it is necessary to register to HA. If MN has
long distance with the local network, the signaling overhead
and the propagation delay are considerable big.
The introduction for hierarchical management schema is
in order to solve the high signaling overhead generated in
the frequent switch in the Mobile IP. The network is
departed to different domains by layered technologies, and
the mobility problem are departed to macro-mobility and
micro-mobility. The standard Mobile IP is used when the
MN is moving between domains. The tiny mobile IP
called MAP is introduced in HMIPv6 [3], it is a router
positioned in MN access network. Then MN use MAP as a
local HA, when MN is moving in MAP domain without the
need to register to HA, just needing to register to the current
MAP. When it moves out from MAP domain and then needs
to register to HA, it lessens the spending for location update.
There can be several MAPs in the access network. The
selection problem of MAP is exited when several MAP is
found in the same domain, namely, how to find the suitable
MAP.
The paper is organized as follows: Firstly, several static
MAP selection schemas are listed in the second part; then
several dynamic selection schemas are introduced in the
third part; finally, the advantages and the disadvantages are
listed in this paper, and the result is given finally.
2. Static MAP Selection Schema
In the following part we listed two static MAP schemas
based on the distance in HMIPv6 network such as the
nearest selection scheme and the farthest selection scheme.
Because this scheme is the basis of the other schemas, so it
is described in detail firstly.
MAP selection schema or the farthest MAP selection
scheme, namely, is MN selecting the farthest or the nearest
MAP to communicate as its service MAP. The specific
[4]
operation is as follows:
• Analyze all the MAP selection (the message format of
MAP selection message is as figure 1)
• Order MAP according the distance sequence (if the
nearest selection schema is used, then order it with the
ascending sequence, and if it is the furthest selection
schema is used, then order it with the descending
sequence)
• Select the first MAP in the selection list
• If the priority and the value of survival field are 0, then
select the sequent MAP in the table.
Repeat executing (4), until finding MAP the priority of
 (IJCNS) International Journal of Computer and Network Security, 95
MAP and the effective survival period of which not 0.
The above procedure will go on until all the priority value
of MAP is lessoned to 0, then another MAP is selected.
The advantage of the furthest selection schema is
registering frequently and repeatedly, it is effective for the
MN of quicker mobile speed. The relative further MAP can
lesson the communication price between HA and CN, but is
not proper for the MN of slower mobile speed. Furthermore,
if all MN choose the furthest MAP as their service MAP, the
MAP can be the performance bottleneck of system, the
higher operation time delay is generated.
The nearest selection schema is selecting the nearest
MAP as the current MAP of MN, respecting to the furthest
selection schema, the price for the local register renewing of
the schema is relatively small, but the frequent changing
MAP makes the overall price bigger. The message of
mobility anchor point is showed in Fig.1.
Figure 1. The Message format of Mobility anchor point
3. Dynamic MAP Selection Schema
The procedures of the dynamic schema are showed as
follows:
(1)MN receives RA contained the MAP choice, and a
MAP list is obtained, so the information of MAP is obtained
(the distance leap and the load of MAP).
(2) Through the reckoning some special parameters (like
session arrival rate), a proper MAP is confirmed
dynamically. According the different value of selective
parameters, it can be departed to the following several
schemas.
3.1 Selection Schema Based on Mobility Character
The schema is improved based on the distance schema. MN
selects the service MAP according the self mobility
characters.
The schema based on speed schema is deciding which
MAP to choose according the mobile character such as
mobile speed. Here the rapider mobility MN selects the
farthest MAP as the service MAP, and the slower mobile
speed MN selects the nearest MAP as its service MAP. The
procedure based on speed is as follows:
(1)Reckon on the speed of MN. This is the difficulty of
the schema, because it is difficult to be reckoned precisely,
namely, the speed is not the practical speed, the history
speed is used as the current speed of MN.
(2)Choose the properest MAP. When the speed is given, a
proper MAP is selected in the list. The selective list records
the mapping relation between mobility type and the answer
MAP. Wan Zheng[5] introduces whether MN interacting
with high layer MAP, low layer MAP or register with HA
Vol. 2, No. 9, September 2010
all depends its speed and the counts. When the load balance
problem is solved, a limit control algorism and substitute
algorism is used to make the load balance for the two MAP
layer and the different MAP in the same layer.
The schema based on topology structure designs the two
information of mobile history such as the IP address of AR
and the access time for MN. Every MN has its own mobile
history. When a new AR area is entered, the mobile history
is sent to the current AR, then computing the relative high
speed of MAP. If there is a big speed of MAP, MN can
register with it.
3.2 Adaptive MAP Selection Schema
For the performance of HMIPv6 relying on the activity and
the mobility of the conversation, the transport price and the
binding renewing price of packet can not be ignored. These
aspects is considered in adaptive MAP selection schema,
and compared with the above schema, it is more precisely
and flexible.
One of the schemas in adaptive selection schemas is to
compute the signaling overheads between the remote home
registration and the local register, namely, to decide whether
the current FA can come to MAP or not. The schema also
considers the mobile characters and the network load.
The familiar adaptive selection schema is through
reckoning on the ratio of packet of arrival speed and the
mobile speed to select MAP. The ratio of MN is smaller, the
quicker speed of mobile speed of MN, so the furthest MAP
is used as service MAP. Contrarily, the ratio is bigger, the
nearest MAP is selected.
4. Comparing of Schemas
The farthest selection schema MAP is relative near with the
gateway, so it is often used as the gateway of the outer
gateway. If the farthest MAP is selected, the MAP will be
the bottleneck of the network. Moreover, if the MN just can
move in the limited area of the out network, it is no
necessary to register in the farthest MAP. In this case, if we
select the farthest selection schema, for the distance between
MN and MAP is larger than the distance with the nearer
MAP, therefore, the register time delay will be larger. If we
select the farther schema, then the MAP is not necessary to
be renewed in the moving process of MN. So the moving
counts are lessoned, for the MAP area is large, so the switch
counts of area in the moving process will be added.
The nearest selection schema is contrary to the farthest
selection. If MN is registering with the nearer MAP, the
register time delay is smaller, because the formed MAP
domain is smaller, the switch counts in area is relatively
smaller. But MAP needs to renew frequently, so the switch
counts between domains are larger and the signaling
overheads is relatively large.
The selection schema based on the mobile characters
using the mobile characters to select the farthest MAP or the
nearer MAP, it is a compromise of the two schemas, but has
an improvement in the performance.
Compared with the former schemas, the adaptive
selection schema is more flexible and precise, the load of
96 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

every MAP is balanced effectively, the switch counts [5] Zheng Wan, Xuezeng Pan, Jian Chen et al, “A Three-
between areas and in area is balanced, so the signaling level Mobility Management Scheme for Hierarchical
overheads is lessoned. Mobile IPv6 Networks,”Zhejiang University:
For clearance, we list the MAP load, the switch counts in Science,PP.8-13, 2006.
area, the switch counts between areas, the signaling [6] Sangheon Pack, Taekyoug Kwon, Yanghee Choi, “An
overheads and the comparing results of the register time Adaptive mobility Anchor Point Selection Scheme in
delay. Hierarchical Mobile IPv6 networks,” Computer
Communications,PP. 3066-3078,2006.
Table 1: The result 1 of several MAP selection schema
Authors Profile
The Switch Register
performanc MAP load counts in time Shan Zhong received M.S. degrees in
e schema areas delay Computer Science from Jiangsu University in
2008, her main research area is Mobile IP,
Farthest Large Much Large PETRI NE , and Artificial intelligence. Now she
Nearest Medium Less small works in school of computer science and
Based on engineering in Changshu Institute of technology.
mobile Medium Medium Mediu
characters m

Adaptive Small Medium Small

Table 2: The result 2 of several MAP selection schema

Switch
The performance counts Signal
schema between overload
areas
Farthest Less Medium
Nearest Much Large
Based on Medium Small
mobile characters

Adaptive Less Small

5. The Conclusion
The MAP selection schemas are concluded in the current
HMIPv6, the advantages and the disadvantages are
analyzed.
The adaptive selection schema is the relative excellent
schema. The next work is to introduce the intelligence
algorism to the adaptive selection schema, then simulate it
and compare it with the other schemas.

References
[1] HU Qing,ZHANG Shu-fang,ZHANG Jing-bo, WANG
Er-shen. “A New Automatic Identification System
(AIS) Model-MIP-AIS,”.ACTA ELECTRONICA
SINICA， PP. 1186-1191, 2009.(in chinese)
[2] LU Bin., “Study of multi-layer mobile support
mechanism in IP network,” Journal on
Communication, PP.129-135,2006.
[3] SOLIMAN H, CASTELLUCCIA C, MALKI K E L,
et al. RFC 4140, “Hierarchical mobile IPv6 mobility
management ［ EB/OL］ ,”(2005-08-10).
http://www.ietf.org/rfc/ rfc4140.txt
[4] Jiang Liang, Guo Jiang, etc.The next network mobile
movement Ipv6 technology. Press: Beijin: Mechnism
industry Press, 2005.
 (IJCNS) International Journal of Computer and Network Security, 97
Vol. 2, No. 9, September 2010

A Visual Grammar Approach for TV Program

Identification
Tarek ZLITNI1 and Walid MAHDI2
1
Mir@cl, Multimedia, Information Systems and Advanced
Computing Laboratory Higher Institute of Computer Science and Multimedia
Sfax BP 3021, 69042 TUNISIA, University of Sfax
tarek.zlitni@isimsf.rnu.tn

2
Mir@cl, Multimedia, Information Systems and Advanced
Computing Laboratory Higher Institute of Computer Science and Multimedia
Sfax BP 3021, 69042 TUNISIA, University of Sfax
walid.mahdi@isimsf.rnu.tn

reserve particular time spaces for their advertisements; in

Abstract: Automatic identification of TV programs within TV
streams is an important task for archive exploitation. This paper
proposes a new spatial-temporal approach to identify programs
in TV streams in two main steps: First, a reference catalogue
for video grammars of visual jingles is constructed. We exploit
visual grammars characterizing instances of the same program
type in order to identify the various program types in the TV
stream. The role of video grammar is to represent the visual
invariants for each visual jingle using a set of descriptors
appropriate for each TV program. Secondly, programs in TV
streams are identified by examining the similarity of the video
signal to the visual grammars in the catalogue. The main idea
of identification process consists in comparing the visual
similarity of the video signal signature in TV stream to the
catalogue elements. After presenting the proposed approach, the
paper overviews the encouraging experimental results on several
streams extracted from different channels and composed of
several programs.
Keywords: Visual grammar, TV programs identification, TV
stream segmentation, video signature.
1. Introduction
Face to the ubiquity of large volumes of digital videos,
effective and rapid access to multimedia information has
become a difficult endeavour. This difficulty created a
growing demand for efficient tools that offer direct access to
unstructured video contents, which in turn require automatic
video segmenting and indexing methods. Indeed, several
approaches were proposed to segment/index particular video
types, cf. [1] [4] for sports videos, [5] for news videos.
However, being dependent on the video type (e.g.,
documentaries, sports, films, news, etc), the effectiveness of
the proposed approaches cannot be sustained when the video
stream is composed of several programs of different types.
Hence, to profit from the robustness of these approaches,
one must first segment the video stream by identifying the
types of video programs it contains. In fact, besides video
stream segmentation for efficient indexing of its programs,
video type identification can be exploited in a wide range of
applications like controlling the respect of broadcasting
policies and agreements by TV channels or video copies
detection. For instance, companies invest several millions to
this context, an automatic content/type identification tool
can assist these companies in verifying if their
advertisements are broadcasted during the agreed periods.
The above mentioned applications and importance as a
pre-treatment step for efficient indexing, we present in this
paper a new approach for video TV stream content/type
structuring. Our approach constructs first a reference
catalogue composed of visual markers (visual jingles) for
various TV programs associated to their video grammars.
Each grammar defines a set of visual descriptors appropriate
to a particular TV program. In the second stage, our
approach exploits this catalogue to identify programs in TV
streams based on the visual similarity between the visual
grammars and the given video stream signal.
The rest of the paper is structured as follows: in Section 2,
we introduce the context and motivation of our approach. In
Section 3, we describe the two-step proposed approach. We
present the results of a preliminary experimental evaluation
in Section 4. We conclude the paper with discussions of the
proposed solution and an outline of future work.
2. Context and Motivation
Video segmentation is an essential step in any video
exploitation application. On the other hand, in spite of their
satisfying results, the performance of the majority of current
video segmentation approaches depends on the video type
(news program, action film, documentary film, sport
program, etc). This dependency on the video type is
explained essentially by the fact that currently proposed
approaches are based on the production rules of the video.
For example, the work in [5] segments through face
detection because it considers that the occurrence of a
person shot indicates mostly a subject change in news
programs; Mahdi et Al. [11] relies on the detection of
cinematic rhythm to segment fiction films; the works
presented in [4] and [1] are based on prior knowledge about
production rules specific to sports programs in order to
detect particular events e.g., attacks, fowls, etc.
Overall, prior knowledge of the video type is required for
98
a good semantic exploitation of a video segmentation.
However, this knowledge is often unavailable in particular
in archive videos, videos widely distributed over the web,
etc. Furthermore, videos are generally integrated into
heterogeneous and long streams, like for instance those
incorporated into channel broadcasts. In this latter case, a
video sequence can include a set of programs of various
types (documentaries, news programs, films, etc.) and/or
inter-programs (spotlights, commercials, etc.) without any
indication about the boundaries between them.
Given this context, two levels of segmentation are
required for an efficient video structuring (Figure 1). The
first level, called inter-segmentation, is dedicated to
identifying a program or an inter-program in the TV stream.
The second level, called intra-segmentation, aims to
segment the identified program into a set of temporal units
and semantic entities.
Figure 1. A two-level structuring process for TV streams.
Besides efficient intra-segmentation, inter-segmentation
for TV streams could be the object of various applications.
In fact, the identification of TV programs could serve to
develop control mechanisms for TV channels broadcasting.
On this matter, the audiovisual authorities (such as the
superior audiovisual council (CSA) in France) impose a set
of policies for TV broadcasting and control the respect of
these ones by TV channels. As an example, the CSA [3]
imposes that total duration of advertisements within one
hour of broadcasting must not exceed 4 minutes for the
public channels and 6 minutes for the private ones. Another
control example is in the context of respect of political
pluralism, where the candidates must have the same
duration in television electoral campaigns.
Besides the authorities of audiovisual control, companies
paying millions to reserve particular time spaces with high
audience for their advertisements need a means to control
whether the agreement was respected. In this context, such
companies would find it more advantageous to use
automatic tools than a manual verification to control tens of
channels with a big risk of inattention of 15 seconds from a
human agent, which can have devastating consequences.
In another context, channels diffusing 24 hours a day
would have digital archives with thousands of gigabytes of
data. However, even though most channels diffuse around
the hour (24/24), programs are diffused at least twice a day.
Consequently, identifying the repeated contents (replay
programs) as well as the inter-programs and their removal
during the digital storage phase reduce a large part of these
archives.
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
3. Video type identification approach
A great deal of multimedia content identification research
focuses on identifying video copies and web databases [10]
[17], whereas a few works has been interested in programs
identification in long TV streams.
Among the latter works, we refer to the work presented in
[2] which proposes a method to detect the repeated
sequences in TV streams. This method is based on inter-
program detection (commercials, jingles, spots …) to split
the TV stream and extract useful programs. It detects
repeated sequences using a clustering technique that groups
similar audio/visual features vectors of key-frames.
On the other hand, Naturel presents in [12] a two-step
method to structure TV streams. The first step creates a
hash-table that contains the key-frames signatures. Then,
the second step uses signature similarity comparison
between the stream signal and the hash-table to identify the
various programs.
Contrary to these two methods, we propose a video
grammar-based method that relies on TV channel “graphic
charter” to generate an appropriate grammar for visual
jingles. The produced grammar provides for the detection of
the generics (i.e., the starting points) of programs in a TV
stream.
As illustrated in Figure 2, our approach proceeds mainly
in two steps. The first step constructs a reference catalogue
containing visual grammar definitions. Each grammar is
represented in a spatial-temporal signature format. The
second step identifies the program types in TV streams
based on grammar components similarity measurement.
Catalogue Segment type identification
construction
SegRef.avi Segment k
Video stream
Signature generation
Signature (SegRef.avi) Signature(Segment k)
Loading of catalogue
elements signatures
Catalogue For each
signature i: No AND C1
SegRefGra
mmar.xml i=i+1
Signature similarity
test
Yes
No AND C2
Type of
Unidentified
C1: i<signatures number Segment type Segment k is i
C2: i=signatures number
Figure 2. Our TV program type identification approach.
3.1 Construction of the video reference catalogue
The reference catalogue contains a set of visual markers
associated with their grammars. The markers are the visual
jingles whose principal role is to identify visually the
starting moment of a given program, as perceived by the
viewers.
Generally, the graphic chart of the TV channels uses
jingles for a particular program during a long period.
 (IJCNS) International Journal of Computer and Network Security, 99
Consequently, based on the fact that the instances of a given
program have the same visual marker, we proceed to
represent the visual characteristics of an instance of a
particular type to identify thereafter the other ones.
3.1.1 State of art of visual content representation
Several researches have dealt with visual content signature
generation. A signature is a compact description that
constitutes the start point for the similarity detection of the
visual contents. Signature determination allows a direct
indexing that facilitates the identification of similar
contents. Generally, a signature generation requires mainly
two steps: First, detecting the significant low-level image
features, and secondly characterizing descriptors in compact
format.
According to the most realized researches in this context,
we cite two main types of relevant image primitives used to
compute the signature: point of interest [15] [18] and color
[7] [8]. Works based on first class of primitives (POI) were
designed using different detectors such as Harris [6] or SIFT
detector [15]. These methods are based on a common
ground: detection and description of the most relevant
points in the image, which gives more information than
others [15]. As an example, we cite the work of Stoettinger
[14] which uses a color version of POI detector for image
retrieval.
For the second class relying on the color feature, the main
idea is to represent the image color information in a
distinctive and reduced format. For example, [7] [8] use the
ordinal measure method to represent the intensity
distribution within the image. These methods proceed first
by computing the intensity average of N blocks in the given
image. Secondly, the set of average intensities is sorted in
ascending order and the rank is assigned to each block
referring to their mean intensity value. The ordinal measure
is expressed by the ranked sequence. On the other hand,
another type of methods exploiting the color information to
create the signature use color coherent vectors CCV [16] and
Vector quantization [9].
In summary, most existing video signature computing
employ feature vector extracted from a single frame for two
reasons: some approaches are proposed to CBIR systems,
and others rely on key-frame signature generation to detect
web videos copies. Hence, the majority of these approaches
do not consider the temporal aspect even though it improves
the signature efficiency.
3.1.2 Audiovisual grammar and video
signature generation
The concept of grammar is defined as a set of formalisms
allowing representing the relations which can exist between
a set of entities. This formalization makes it possible to
represent data in structured and significant way for a better
semantic interpretation. Inspired from this definition, in the
audiovisual field, the grammar notion is a recent concept
whose aim is to define an appropriate style to the TV
channels and to deduce the typical structures of TV
programs. Hence, a video grammar could be exploited in a
multitude of multimedia applications. As examples of these
applications, we cite the identification of TV programs type
[19], the characterization of a particular event in a sport
program (substitution, goals …). Indeed, video grammar is
Vol. 2, No. 9, September 2010
defined by the set of the visual and sound entities and their
relations which carry out to characterize a visual identity for
a particular TV channel. This identity is created by the
conception of a suitable graphic style. Graphic components
of this style are generally recurring for a long duration
(minimum a year) and their application follows a logic
specified by the “graphic chart” of TV channel.
Consequently, the grammar generation consists first of
detecting the visual invariants, then describing them in a
formal way and finally deduce the semantic interpretation
for their appearance. For example, in the case of sport video
grammar, the detection of cautioned player event requires
the extraction of the markers zones of text as well as the
visual invariants to symbolize the yellow card.
3.1.3 A spatial-temporal video signature
Our video signature generation method is based on visual
invariants (forms, colors …) (Figure 3). This approach
relies on the fact that the TV channels programs (such as
news or sport programs) use distinctive graphical
components to identify them visually. As a result, we exploit
visual grammars characterizing instances of the same
program type in order to identify the various program types
in the TV stream. The main role of this grammar is to
represent the visual invariants for each visual marker
(jingle) using a set of descriptors appropriate for each TV
program.
Figure 3. Samples of visual invariants of different TV
programs.
For an efficient representing of the visual invariants, it is
necessary to extract the most relevant features that can
characterize them. In fact, the signature generation process
creates a compact description of these features while
respecting two crucial properties: robustness and
uniqueness. These properties guarantee the discriminative
effect for distinguishing video content and ensure the
capability of noise tolerance. For the robustness property, a
signature must not vary when the video sequence contains
for example an insignificant signal noise or slight
luminosity variation. For the uniqueness property, two
different video contents must have two different signatures.
In this sense, every semantically different video segment
should possess a unique signature. Consequently, we
propose a new spatial-temporal method to generate a
100
signature for video segment identification that preserves
these two properties.
Indeed, contrary to most proposed approaches, we
generate video signature from a set of frames of the
audiovisual segment and not a single (key) frame. This fact
may influence on the signature efficacy (i.e., the uniqueness
property) as two videos with similar key-frames do not
necessarily have the same or similar content.
In order to overcome this deficiency, we opt for a bi-
dimensional signature. The main idea is to create a spatial-
temporal signature (1) where the generation process is
carried out from a set of frames, separated by a definite time
step Tstep. That is, the generation process provides different
levels of signature discrimination. Two signatures will be
similar/ dissimilar on three levels: Nframe, Tstep and SigF
which can further guarantee the uniqueness property.
([ ]
Vsig = SigF , Nframe,Tstep ) (1)
Our signature generation process starts by select a number
of frames Nframe and a temporal step (Tstep) which separates
them. Secondly, for each frame of the Nframe selected frames,
we compute SigF the low-level characteristics vector
derived from this frame. The signature of a video segment is
defined by the whole of frames signatures. Figure 4
illustrates our spatial-temporal signature generation process.
Figure 4. Process of spatial-temporal video signature
generation.
3.1.4 Frame level signature
Several methods were proposed to create an identified image
representation, especially these designed for CBIR
applications. Most common approaches are based on low
level features (color, intensity …) as detailed in the previous
section. In our approach and in order to ensure the
robustness of signature, we opted to use two descriptors:
colorimetric feature and a POI descriptor.
a) CCV descriptor
For the colorimetric descriptor, histograms are used to
represent images in many multimedia applications. Their
advantages are insensitivity to small changes. However,
color histograms lack spatial information, so images with
very different appearances can have similar histograms.
Hence, we use a histogram-based method for representing
images, that incorporates spatial information. Each pixel is
classified in a given color bucket as coherent or incoherent,
based on whether or not it is part of a large similarly-
homogeneous region. A color coherence vector (CCV) stores
the number of coherent versus incoherent pixels for each
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
color. CCV is a more sophisticated form of histogram
refinement, in which buckets are partitioned based on
spatial coherence. By separating coherent pixels from
incoherent ones, CCV provides finer distinctions than
classic histograms. The CCV computing process is
composed essentially of three steps:
• Image preprocessing
This first step smoothes the image by applying a medium
filter to the neighboring pixels. The major aim of this
preprocessing is to eliminate small variations between
adjacent pixels. Then, we precede to discrete the color
space, to obtain only Ncolor distinct colors in the image for
the following two reasons: First decreasing the luminance
variation effects, and secondly reducing the size of image
signature.
• Image segmentation
To classify pixels within a given color bucket as coherent or
incoherent, we proceed in the second step to region
segmentation.
In order to determine the pixel groups, the image is
segmented into disjoint and homogeneous regions. A region
is defined as a connected set of pixels for which uniformity
(homogeneity) condition is satisfied. Referring to
segmentation method category, a uniform region can be
obtained by two different ways: It can be derived by growing
from a seed block/pixel by joining others pixels or obtained
by splitting a large region which is not uniform.
Several image segmentation advanced techniques have
been proposed and classified in different categories (region
growing, split and merge…). We use the Statistical Region
Merging (SRM) [13] algorithm that belongs to the family of
region growing techniques with statistical test for region
fusion. The advantages of this method are simplicity and
performance without the use of color space transformations.
In addition, we opted also for the SRM method as it gives,
for each segmented region, the list of pixels belonging to it
and the related mean color which facilitates afterward the
computing of CCV’s bins. Note that in our work we apply
the SRM method on grayscale quantified images. Image is
segmented according to color buckets. This effectively
segments the image based on the discretized color space.
The SRM method is based on two major components: a
merging predicate (2) and the order followed in testing this
predicate. The merging predicate is defined as:
true, if R ' − R ≤b(R ') +b(R)
P ( R, R ') =  (2)
false, otherwise
1  RR 
with: b ( R ) = g
 ln 
2Q R  δ 
where R and R’ represent the two regions being tested,
R denotes the color average in region R and R|R| is the set of
regions with p pixels. The order of region merging follows a
criterion f, which implies that when any test between two
parts within a true region is performed. g and Q are global
(random) variables are used to determine the merging
predicate threshold.
 (IJCNS) International Journal of Computer and Network Security, 101
(a) (b)
Figure 5. Image segmentation using SRM: (a) input color
image, (b) segmented grayscale image.
The SRM’s algorithm is described as follow:
• First of all, an appropriate data structure was created
to stack the pairs of adjacent pixels based on 4-
connectivity.
Let p and p' be two pixels of an image I, we denote
by R(p) the region including the pixel p.
• Sort all pairs of pixels (using bucket sort) in
ascending order according to a function f (3) which
is a simplified version to calculate adjacent pixels
gradients.
• After sorting, the test the predicate merge P (R (p),
R (p ')) only once for pixels for which R (p) = R (p')
(i.e. belong to the same region) if the predicate is
satisfied, the two regions R (p) and R (p ') will be
merged. The merging phase is realized using the
union-find algorithm (a simple and efficient
algorithm to classify a set of elements into disjoint
classes).
f (p, p ') = | p'-p| (3)
• Pixels classification
Following the image segmentation, each pixel belongs to
exactly one region. Pixels are classified as coherent or
incoherent depending on the size of their regions. A pixel is
coherent if the size of region which it belongs exceeds a
threshold (proportional to image size); otherwise, the pixel
is considered as incoherent. For a given discretized color,
some pixels will be coherent and some others will be
incoherent. We nominate by αj the number of coherent
pixels of the j’th discretized color and by βj the number of
incoherent pixels. The total number of pixels for color j is αj
+ βj.
As a result, we obtain for each color j the pair (αj, βj)
called the j’th color’s coherence pair. The color coherence
vector for the image consists of ((α1,β1),...,(αn,βn)) .
So, the set of bins presents the CCV frame signature (4):
uuuuuur
{ }
SigFCCV = CCV i , i ∈ [1, N Color ] (4)
uuuuuur
where CCVi = (αi , β i )
b) POI descriptor
We opted to use the POI (Point Of Interest) descriptor for
the next reasons:
Vol. 2, No. 9, September 2010
In image processing, POI is a point in an image that has
special properties which make it stand out in comparison to
its adjacent points. Referring to their definition, POIs are
located where the photometric information is the most
important within an image. These points are
characterized by robustness to luminosity variation, blur
effect and geometric transformations. Indeed, using a POI
descriptor, we can provide a rich and compact signature at
once.
Furthermore, studies of comparison between different
POI detectors under variant conditions like illumination
variation proved that most repeatable results are obtained for
the Harris detector [6]. It is among the most stable and
broadly used POI detectors due to its robustness to noise and
lighting variations. The Harris detector relies on a basic
principle: at a corner, the intensity will change greatly in
different directions. Based on this observation, the central
idea of this detector is to use the autocorrelation function,
i.e. the second moment matrix, to determine locations where
the image intensity changes in two directions.
Thus, the POI’s frame signature is expressed by a POIs
vector (5):
uuuuur
{
SigFPOI = POI k , k ∈ [1, N POI ] } (5)
Where
 xk 
 
POIk =  yk 
 r ( x , y )
 k k ,
r(x,y) is the Harris metric value at (x,y) pixel.
3.2 TV programs type identification
In this section, we describe the video programs
identification process in TV streams. The basic idea of this
process consists in comparing the visual similarity of the
video signal at instant k to the catalogue reference elements.
Our video type identification relies on a central assumption:
two video V1 and V2 are visually similar if and only if their
signatures are similar. The identification process is
described as follows:
To identify the video type at the current frame k, for each
video signature Vsig(t) selected from the catalogue, we load
its NFSig frame signatures SigF[1.. NFSig] where SigF
denotes both SigF POI and SigF CCV. For each elementary
signature SigF (j: from 1 to NFSig), we measure the
similarity of this signature and the frame k signature.
3.2.1 Signature descriptors similarity
The program TV type identification relies essentially on
signature similarity measurement respectively between
SigF CCV descriptors and SigF POI descriptors in reference
catalogue and TV stream signal.
For SigF CCV, we calculate a normalized average of CCV bins
similarities defined in frame signature SimSigF CCV (6).
uuuuur uuuuur
∑(CCV ,CCV ) − ∑α (i ) −α (i ) + β (i ) −β (i ) 
Nccv
(6)
k j k j k j
i =1
SimSigfCCV (k, j ) = uuuuur uuuuur
∑(CCV ,CCV )
k j
 102 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

with : uuuuur uuuuur  N ccv  with a minimum number of false identifications i.e. d is
∑ (CCV k , CCV j ) =  ∑ α k (i ), β j (i ),α j (i ), β k ( i ) 
significant if both recall and precision having high values at
 i =1 
As for SigF POI signature similarity measurement, we test the once. So that, wd is a combination formula of these two
Euclidean distance of all POIs values defined in this metrics.
signature. Two SigF POI signatures are similar if and only if
the majority of POIs (a percentage number of NPOI) CI d (10)
R=
descriptors are similar (7). CI d + MI d
N POI uuuuur uuuuur
∑ Sim ( POI k , POI j ) CI d (11)
SimSigf POI ( k , j ) = k =1 (7) P =
N POI CI d + FI d

with:
uuuuur uuuuur 1, if Disteucd < threDist & Dist harris < threHarris 2× R × P (12)
Sim(POI k , POI j ) =  wd = F1=
R +P
0, otherwise
With:
Disteucd ( POI k , POI j ) = ( xk − x j ) + ( yk − y j )
2 2 CId: number of programs identified correctly using
descriptor d
Dist Harris ( POI k , POI j ) = r ( x k , y k ) − r ( x j , y j ) MId: number of missed identifications using descriptor d
FId: number of false identifications using descriptor d
3.2.2 Descriptors similarity combination
In order to define these weights, we conducted a training
Since a frame has a composed-signature (SigfCCV and
phase to choose the optimum weight value for the descriptor
SigfPOI), to detect the video type after computing the
d of each TV program/channel. Table 1 summarizes the
similarity of these signatures, we combine their similarities
weight values for various TV channels.
to obtain a single decision value: SimVideo(9). This
combination aims at increasing the identification rates.
Table 1: w1 and w2 values for each channel.
The combination is done using the average rule, following
Recall (R) Precision (P) wd (F1)
normalizing and pondering coefficients of two signature
descriptors. Hence, the frame signature similarity is defined
as (8): Descriptor d1 d2 d1 d2 w1 w2
Channel
w1 ×simSigf CCV (k ,t ) +w 2 ×simSigf POI (k ,t ) M6 0,8 0,92 1 0,92 0,89 0,92
simSigf (k ,t ) =
w1 +w 2 (8) RTV 0,95 0,66 0,75 0,87 0,84 0,75
LCI 0,99 0,69 0,98 0,9 0,98 0,78

1, if simsigf > thSig itele 0,83 0,53 0,67 0,75 0,74 0,62
simVideo (k , t ) =  (9) Abmoteurs 0,66 0,74 1 0,67 0,79 0,70

 0, ohterwinse France 24 1 0,5 0,84 0,71 0,91 0,59
with:
A segment localized at frame j in a video stream was
w th + w 2thCCV
thSig = 1 POI identified of type t only if the frames signatures (NsigF ) of
w 1 +w 2 Vsig(t) are similar to their homologous in the stream as
detailed in our similarity measurement metrics (13).
 N sigF
According to our experimental study, we concluded that a videoType (t ), if ∑ SimVideo ( k , t ) = N sigF
VideoSegment ( j ) =  (13)
discriminative identification of a descriptor d differ from a i =1
undefined , otherwise
channel to another. This could be explained by the fact that 
the graphic charter of channel used during the generics
production stage exploits graphics compositions rich of a 4. Experimental Results
particular descriptor (Figure 3) than another. Therefore, the
weighted coefficient wd of descriptor d must be relative to its 4.1 AViTyp: Automatic Video Type identification
efficiency to identify individual types of programs to tool
indicate the importance of d in the combination with To implement the proposed approach and in order to
other(s) descriptor(s) (8). In other words, the identification evaluate its efficacy, we have developed a system called
rate of d is as important as its weight of its coefficient. That AViTyp (Figure 6). This system offers two main features:
is, this weight must be proportional to identification rate signature creation for references catalogue items, and
(12). programs identification in files from TV channels. In
The relevance of descriptor d is evaluated by its capacity addition, AViTyp provides an ergonomic interface to adjust
to identify the maximum number of correct identifications
 (IJCNS) International Journal of Computer and Network Security, 103
Vol. 2, No. 9, September 2010

identification process: defining the weights and appropriate
thresholds for the current channel.
their grammars expressed as spatial-temporal video
signatures.
In order to improve the video type identification quality,
we focus our future work on the integration of other
descriptors such as the form or the texture features in video
grammar which can characterize the visual jingles since the
used features are not always discriminative.

References
[1] Babaguchi, N. ; Kawai, Y. ; Kitahashi, T. “Event
Based Indexing of Broadcasted Sports Video by
Intermodal Collaboration”. IEEE Transactions On
Multimedia, Vol. 4, NO. 1, pp. 68-75 (2002)
[2] Berrani, S. A. ; Manson, G. ; Lechat ,P. “A Non-
Supervised Approach for Repeated Sequence Detection
Figure 6. User interface of the AViTyp tool. in TV Broadcast Streams”. Signal Processing: Image
Communication, special issue on "Semantic Analysis
for Interactive Multimedia Services", pp. 525-537
4.2 Evaluation of the video type identification (2008)
performance [3] Conseil Supéreiur de l’Audiovisuel. “Publicité,
To evaluate experimentally our video type identification parrainage et téléachat à la télévision et à la radio”,
approach, we used a large and varied corpus composed of a http://www.csa.fr, (2008) France
set of video files which are long streams from 6 different TV [4] Duan, L. Y.; Xu, M. ; Tian, Q. ; Xu C. S. ; Jin, J.S. “A
channels. Various programs and inter-programs types Unified Framework For Semantic Shot Classification
(news, sport, varieties, documentaries, pubs…) are In Sports Video”. IEEE Transactions on Multimedia
contained in these streams. Volume: 7, Issue 6, pp. 1066- 1083(2005)
To evaluate the performance of the proposed approach, [5] Haller, M. ; Hyoung-Gook, K. ; Sikora, T.
we used the recall (10) and precision (11) metrics. Table 2 “Audiovisual Anchorperson Detection For Topic-
presents the experimental results values regrouped by TV Oriented Navigation In Broadcast News” IEEE
channel. International Conference on Multimedia and Expo
(ICME), pp. 1817 – 1820 Canada (2006).
Table 2: Experimental results grouped by channel. [6] Harris, C.; Stephens M. “A Combined Corner And
TV channel recall Precision Edge Detector”. Alvey Vision Conf, pp. 147-151
M6 93,2 100 (1988)
RTV 81,6 100 [7] Hua, X.S. ; Chen, X. and Zhang, H.J. “Robust Video
Signature Based On Ordinal Measure International”.
LCI 85,22 85,71 Conference on Information Processing ICIP04, pp.
Itele 74,2 83,33 685-688 (2004)
Abmoteurs 75 100 [8] Kimura, A. ; Kashino,K. ; Kurozumi, T. ; Hiroshi, M.
France 24 94,7 87,5 “A Quick Search Method for Multimedia Signals
All channels 83,98 92,75 Using Feature Compression Based on Piecewise Linear
(average) Maps”. Proc. of International Conference on
Acoustics, Speech and Signal Processing (ICASSP),
In this experimentation, despite the good precision value, vo1.4, pp. 3656-3659 (2002)
we conclude that the recall was rather satisfactory (83,98%) [9] Kurozumi, T. ; Kashino, K. ; Hiroshi, M. “A Method
and needs to be improved. The degradation of the recall is for Robust and Quick Video Searching Using
due essentially to some missed identifications. The main Probabilistic Dither-Voting”. Proc. International
reason behind the missed cases is due essentially to the Conference on Image Processing, vol.2, pp. 653-656
quality of the broadcast streams, like a blur signal. (2001)
[10] Law-To, J. ; Chen, L.; Joly, A. ; Laptev, Y. ; Buisson,
O. ; Gouet-Brunet, V. ; Boujemaa, N. ; Stentiford, F.
5. Conclusion and future work “Video Copy Detection: A Comparative Study” ACM.
We have proposed in this paper a grammar-based approach International Conference on Image and Video
for video program identification in TV streams. The Retrieval (CIVR'07), pp. 371-378 (2007).
approach is composed by two steps: (i) creation of references [11] Mahdi, W. ; Ardebilian, M. ; Chen, L. “Automatic
catalogue and (ii) identification of programs TV in channels Video Scene Segmentation Based On Spatial-
streams. It compares the visual similarity between TV Temporal Clues And Rhythm”. Journal on Network
stream signal and video signatures stored within as Info Systems. v.2(5), pp. 1-25 (2000)
grammar descriptors in a reference catalogue. This [12] Naturel, X.; Gros, P. “Detecting repeats for video
catalogue is composed of a set of visual “jingles” that structuring”. Multimedia Tools and Applications Vol
characterize the starting of TV programs associated, with 38, Issue 2, pp. 233 – 252 (2008).
104 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

[13] Nock, R.; Nielsen, F. “Statistical Region Merging”.

IEEE Trans. Pattern Anal. Mach. Intell. 26(11), pp.
1452-1458 (2004)
[14] Stoettinger, J.; Hanbury, A.; Sebe, N.; Gevers, T.Do
Colour Interest Points Improve Image Retrieval, IEEE
International Conference on Image Processing (ICIP ).
Volume 1, pp. 169 - 172 (2007)
[15] Valle, E. ; Cord, M. ; Foliguet, S. P. “CBIR in
Cultural Databases for Identification of Images: A
Local-Descriptors Approach”. Int. Conf. on Geometric
Modeling and Imaging, pp. 177-182, London (2006)
[16] Wen, L. ; Tan, G. “Image Retrieval Using Spatial
Multi-color Coherence Vectors Mixing Location
Information”. Proceedings of the 2008 ISECS
International Colloquium on Computing,
Communication, Control, and Management - Volume
01. pp. 299 – 302 (2008)
[17] Yang, X.; Sun, O.; Qi Tian, Q. “Content-based video
identification: a survey”, in International Conference
on Information Technology: Research and Education,
2003. Proceedings (ITRE), pp. 50–54. (2003)
[18] Zhang, H.; Rahmani, R.; Cholleti, S. R. ; Goldman S.
A. “Local Image Representations Using Pruned
Salient Points with Applications to CBIR”.
Proceedings of the 14th annual ACM international
conference on Multimedia. pp. 287-296 (2006)
[19] Zlitni, T.; Mahdi, W.; Ben-Abdallah, H. “A New
Approach for TV Programs Identification Based On
Video Grammar”. Proceedings of the 7th International
Conference on Advances in Mobile Computing and
Multimedia (MoMM), pp. 316-320, Malaysia (2009)

Authors Profile
Tarek ZLITNI received the M.S
degree in information systems and new
technologies in 2007 from the
University of Sfax, TUNISIA, where
he is pursuing the Ph.D. degree in
computer science.
His research interests focus on video
and image processing and analysis,
multimedia indexing, and content-
based video segmentation and
structuring.

Walid MAHDI received a Ph.D. in

Computer and Information Science
from Ecole Centrale de Lyon, France
in 2001. He is currently Assistant
Professor at Higher Institute of
Computer Science and Multimedia, at
the University of Sfax, TUNISIA. His
research is about image and video
processing.
 (IJCNS) International Journal of Computer and Network Security, 105
Vol. 2, No. 9, September 2010

A Modified Hill Cipher Involving a Pair of Keys

and a Permutation
V.U.K.Sastry1, Aruna Varanasi2 and S.Udaya Kumar3
1
Department of Computer Science and Engineering, SNIST
Hyderabad, A.P.India,
vuksastry@rediffmail.com
2
Department of Computer Science and Engineering, SNIST
Hyderabad, A.P. India,
varanasi.aruna2002@gmail.com
3
Department of Computer Science and Engineering, SNIST
Hyderabad, A.P. India,
uksusarla@rediffmail.com

Abstract: In this paper, we have developed a block cipher by analysis. Finally in section 6 we have presented the
introducing a pair of keys-one as a left multiplicant of the numerical computations carried out in this analysis and
plaintext and the second one as a right multiplicant of the drawn conclusions.
plaintext. Here as we utilize EBCDIC code for converting
characters into decimal numbers, we use mod 256. We have
developed an iterative procedure, which includes a permutation, 2. Development of the cipher
for the cipher. The avalanche effect and the cryptanalysis
clearly show that the cipher is a potential one. Consider a plaintext, P. Let this be written in the form of a
matrix given by
Keywords: Encryption, Decryption, Cryptanalysis, avalanche P = [Pij], i= 1 to n , j=1 to n. (1)
effect, permutation, pair of keys. Here each Pij is a decimal number lying between 0 and 255.
Let us choose a pair of keys denoted by K and L, where K
1. Introduction and L can be represented in the form
K = [Kij], i=1 to n, j=1 to n, (2)
In the recent years, several modifications of Hill Cipher [1- and L = [Lij], i=1 to n, j=1 to n. (3)
5] have appeared in the literature of Cryptography. In all Here the elements of K and L are decimal numbers lying in
these investigations, modular arithmetic inverse of a key [0-255].
matrix plays a vital role in the processes of encryption Let the ciphertext, C be given by
and decryption. C = [Cij], i=1 to n, j=1 to n, (4)
It is well known that the Hill Cipher containing the key in which all the elements of C also lie in the interval 0 to
matrix on the left side of the plaintext as multiplicant can be 255.
broken by the known plaintext attack. In a recent paper, to The process of encryption and the process of decryption
overcome this drawback, Sastry et al.[6] have developed a are described by the flow charts given in Figure1.
block cipher which includes a key matrix on both the sides
of the plaintext matrix. In this analysis they have discussed
the avalanche effect and cryptanalysis, and have shown that
the cipher is a strong one.
In the present paper, our objective is to modify the Hill
Cipher by including a pair of key matrices, one on the left
side of the plaintext matrix and another one on the right
side of the plaintext matrix as multiplicants, so that the
strength of the cipher becomes highly significant. In this we
represent each character of the plaintext under consideration
in terms of EBCDIC code and use mod 256 as a
fundamental operation. Here the security of the cipher is
expected to be more as we have two keys. This is on account
of the fact that, in some untoward circumstances, though
one key is known to the hackers, other remains as a secret
one and it protects the secrecy of the cipher.
In what follows we present the plan of the paper. In
section 2, we have mentioned the development of cipher. In
section 3, we have illustrated the cipher by giving an
example and discussed the avalanche effect. Section 4 is
devoted to the cryptanalysis of the cipher. In section 5 we Figure 1. Flow Charts of the Cipher
have presented the summary of the results obtained in this
106 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

The process of encryption, which is in the form of 4. P=C

iteration, is governed by the relations
5. Write (P)
P = (K P L) mod 256,
and P = Permute(P).
Algorithm for Inverse(K)
The process of decryption is governed by the relations,
1. Read A, n, N
C= IPermute(C ) and
// A is an n x n matrix. N is a positive integer with which
C= (K¯1 C L¯1) mod 256,
modular arithmetic
The process of permutation adopted in Permute()
is carried out. Here N= 256.
function can be described as follows.
2. Find the determinant of A. Let it be denoted by Δ,
Let us convert each element of P into its binary form.
where Δ ≠ 0.
Then we get a matrix, which can be brought to the form
3. Find the inverse of A. The inverse is given by [Aji]/ Δ,
given below:
i= 1 to n , j = 1 to n
 p111 L p118  // [Aij] are the cofactors of aij, where aij are the
 p121 O p128  elements of A
 M O M  for i = 1 to N
  {
 M O M  // Δ is relatively prime to N
 pnn1 K pnn8 if((iΔ) mod N == 1) break;
This contains m (=n2) rows and eight columns. }
Assuming that n is an even number, the above matrix is d= i;
divided into two halves. The upper half contains m/2 rows B = [dAji] mod N. // B is the modular arithmetic
and eight columns, and similarly the lower half. Then the inverse of A.
upper half is mapped into a matrix containing m rows and
four columns. In the process of mapping we start with the
last element of the upper half and place it as the first row, 3. Illustration of the cipher
first column element of a new matrix. Then we place the last Let us consider the plaintext given below.
but one element of the upper half as the element in the The Government is trying to break our unity. What wrong
second row and first column. We continue this process of we have done! we are working according to our conscience.
placing the remaining elements of the upper half, one after Unity is our Divinity. Spread this motto. (5)
another, till we get m rows and four columns of the new Let us focus of our attention on the first sixteen characters of
matrix. Then we place the elements of the lower half from the plaintext. Thus we have
the beginning to the end, such that they occupy four more The Government i (6)
columns and m rows. Thus we again get a matrix of size On using EBCDIC Code we get the plaintext matrix, P
mx8. This process of permutation is expected to thoroughly in the form
permute the binary bits of the elements. The clear picture of
this permutation can be seen later in illustration.
 227 136 133 64 
It may be noted here that IPermute() in decryption is a
199 150 165 133
P=   (7)
reverse process of Permute() used in encryption.
153 149 148 133

The algorithms for encryption and decryption can be
149 163 64 137
written as follows.
Let us now select the Key matrices K and L. Here we
take
Algorithm for Encryption
1. Read n,P,K,L,r
12 120 9 67 
2. for i = 1 to r 4 17 20 11 
{ K=   (8) and
P = (K P L) mod 256  48 99 109 75

P= Permute(P) 39 55 85 92 
}
C=P
102 20 33 45
3. Write( C ) 117 120 89 97
L=   (9)
Algorithm for Decryption  79 49 53 23

1. Read n,C,K,L,r  10 33 54 37
2. K¯1 = Inverse(K)
L¯1 = Inverse(L)
The process of permutation, included in the function
3. for i= 1 to r
Permute(), involved in the process of encryption can be
{
explained as follows. Let us express each element of P,
C = IPermute(C)
obtained in the current iteration, in its binary form. For
C = (K¯1 C L¯1) mod 256
example, in the first iteration after carrying out the
}
computation of the relation P = (KPL) mod 256, we get
 (IJCNS) International Journal of Computer and Network Security, 107
Vol. 2, No. 9, September 2010

Here the first column is obtained by writing the elements

142 40 90 202 of the eighth row and then the seventh row of (11) in reverse
 250 165 54 44  order, similarly the other three columns are obtained by
P=  (10) using the sixth and fifth rows, and so on, one after the other,
 245 90 230 149  taking two rows of (11) at a time and placing the elements
187 166 40 144  in reverse order. Then the fifth column is formed by placing
the ninth and tenth rows of (11) directly in their order.
On converting each element of P, given by (10), into its Further the remaining three columns are achieved by using
binary form, and placing the binary bits of the first element the remaining six rows of (11), by taking two rows at a time,
142 in the fir st row, the binary bits of 40 in the second row and placing the elements in their order.
and so on, we rewrite P in the form of a 16x8 matrix as On converting each row of (12) into decimal form, and
shown below. Thus we have arranging the decimal numbers in a matrix of size 4x4, we
get

 78 44 207 186
 3 220 38 106
1 0 0 0 1 1 1 0 P=   (13)
0 0 1 0 1 0 0 0  7 248 146 125

0 1 0 1 1 0 1 0
  232 198 106 84 
 
1 1 0 0 1 0 1 0
1 1 1 1 1 0 1 0 This is the final result of permutation.
1 0 1 0 0 1 0 1
 On using (7 – 9), and applying the encryption
 
algorithm, given in section 2, with r=16, we get
0 0 1 1 0 1 1 0
0 0 1 0 1 1 0 0
P= 
1
(11)
1 1 1 1 0 1 0
  197 13 153 234
0 1 0 1 1 0 1 0 108 170 106 175 
1 1 1 0 0 1 1 0 C=   (14)
1 0 0 1 0 1 0 1 110 217 254 8

  195 15 104 58 
1 0 1 1 1 0 1 1
1 0 1 0 0 1 1 0 On adopting the decryption algorithm, we get back the
0 0 1 0 1 0 0 0 original plaintext given by (7).
1 
 0 0 1 0 0 0 0
Now, in order to examine the strength of the algorithm,
let us study the avalanche effect. To this end, let us modify
On adopting the permutation process described in
the plaintext (6) by changing the character G to F. The
section 2, (11) can be brought into the form of a matrix,
EBCDIC code of G and F are 199 and 198 respectively, and
containing 16 rows and eight columns, given by
they differ in one binary bit. Thus, on using the modified
0 1 0 0 1 1 1 0 plaintext and the encryption algorithm, let us compute the
0 0 1 0 1 1 0 0 corresponding ciphertext. This is given by
1 1 0 0 1 1 1 1
 
1 0 1 1 1 0 1 0  238 206 114 23 
0 0 0 0 0 0 1 1 127 135 247 32 
1 1 0 1 1 1 0 0 C =  233  (15)
216 221 177
   
0 0 1 0 0 1 1 0  17 223 251 14 
0 1 1 0 1 0 1 0
P= 
0 0 0 0 0 1 1 1
(12) On converting (14) and (15) into their binary form, we
  notice that the two ciphertexts differ by 65 bits (out of 128
1 1 1 1 1 0 0 0 bits). This shows that the cipher is a strong one.
1 0 0 1 0 0 1 0
0 1 1 1 1 1 0 1 Let us now change a number in one of the keys, say
  key, K. Here we change the third row first column element
1 1 1 0 1 0 0 0 of 8 from 48 to 49, which differ only by one binary bit. On
1 1 0 0 0 1 1 0 carrying out the process of encryption with the modified
0 1 1 0 1 0 1 0 key, keeping the other key and the original plaintext intact,
0 1 0 1 0 1 0 0
  we get the ciphertext given by
108 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

 211 115 111 110 6. Summary of the Results

 237 18 141 17 
C=  75  (16) The avalanche effect presented in section 3 clearly indicates
133 230 180
  that the cipher is a strong one. The cryptanalysis discussed
190 121 219 150 in section 4 shows that the cipher cannot be broken by any
cryptanalytic attack.
On comparing (14) and (16), after converting them into
their binary form, we find that they differ by 69 bits (out of 6. Computations and Conclusions
128 bits). This also shows that the cipher is a potential one.
In this analysis we have written java programs
4. Cryptanalysis corresponding to the algorithms for encryption and
decryption presented in section 2.
On dividing the complete plaintext (5) into blocks,
In the literature of Cryptography, the general types of wherein each block contains 16 characters, we have adopted
attacks on a cipher are the process of the encryption. However, in the last block
1. Ciphertext only attack (brute force attack) whose length is less than 16 characters, we have appended
2. Known plaintext attack blank spaces at the end. Thus we get the ciphertext for the
3. Chosen plaintext attack entire plaintext in the form as shown below:
4. Chosen ciphertext attack
In the cipher under consideration, the keys K and L,
both put together, are containing 2n2 numbers, wherein each
number can be represented in terms of 8 binary bits. Thus 197 13 153 234 108 170 106 175 110 217 254 8 195 15 104 58 
the key space is of size 150 58 141 125 167 197 174 69 51 238 35 35 185 81 118 96 
214 142 15 230 27 88 190 113 20 245 221 19 105 124 14 224

216n2 = (210)1.6n2 ≈ 104.8n2  86 253 226 231 104 48 231 89 190 140 240 40 24 158 137 72

215
16 202 219 146 193 0 67 37 172 144 15 126 240 137 185 148

 84 
191 221 17 187 138 41 153 14 1 140 202 62 68 85 248

 64 186 
52 62 247 108 192 65 153 113 2 103 95 161 254 228 2
On assuming that the computation of the cipher with a 174 187 58 138 54 197 192 199 131 192 107 174 29 72
specified pair of values of the keys takes 10-7 seconds, the 222 106 203 119 15 138 35 213 167 38 187 132 67 228 115 129 

time required for the brute force attack is obtained as  19 47 99 229 114 138 22 168 129 152 78 38 66 117 152 108 


 104.8n 2 x10−7  The avalanche effect, discussed in section 3, and the

 
  = 57 x  10 4.8n 2 x10 −15 
 
365 x 24 x 60 x 60  
= 57 x  10
4.8n 2 −15 
 responsible for the strength of the cipher.
 
This shows that the time required for computation is
several years when n>=2.
Thus the cipher cannot be broken by the cipher text only
attack.
In the case of known plaintext attack, we have as many
plaintext and ciphertext pairs as we require for our attack.
Here in this analysis, as the plaintext undergoes several
transformations on account of multiplication by the key
matrices and permutation, in each round of the iteration,
before the plaintext becomes the ciphertext, the nonlinearity
involved in the process does not allow any one to break the
cipher.
Intuitively choosing a plaintext or a ciphertext is an
impossible one as the process involved in the cipher is a
complex one. Thus the cipher cannot be broken by chosen
plaintext/ciphertext attack.
In the light of the above discussion, we conclude that the
cipher is a strong one.
cryptanalysis, performed in section 4, clearly indicate that
the cipher is a strong one. The pair of key matrices, one on
the left side of the plaintext and the other on the right side
of the plaintext and the process of permutation are totally
This analysis can be extended to a large block of
plaintext by enhancing the size of K and L appropriately.
References:
[1] William Stallings, Cryptography and Network Security,
Principles and Practice, Third edition, Pearson, 2003.
[2] V.U.K.Sastry, S.Udaya Kumar, A.Vinaya Babu, “ A
Large Block Cipher using Modular Arithmetic Inverse
of a Key Matrix and Mixing of the Key Matrix and the
Plaintext”, Journal of Computer Science 2(9),pp.698-
703,2006.
[3] V.U.K.Sastry, V.Janaki, “A Block Cipher Using Linear
Congruences”, Journal of Computer Science 3(7),
pp.556-561,2007.
[4] V.U.K.Sastry, V.Janaki, “A Modified Hill Cipher with
Multiple Keys”, International Journal of Computational
Science, Vol.2, No.6,pp.815-826, Dec.2008.
[5] V.U.K.Sastry, D.S.R.Murthy, S. Durga Bhavani, “A
Large Block Cipher Involving a Key Applied on Both
the Sides of the Plaintext”, Vol.2, No.2, pp.10-
13,February.
 (IJCNS) International Journal of Computer and Network Security, 109
Evaluation of Intrusion Detection Techniques for
Enterprise Information Security
Kanwarpreet Singh1, Yogesh Chaba2 and Amritpal3
1
IBM India
kps@sandhu.com
2
Deptt of CSE, GJUST Hisar
yogeshchaba@yahoo.com
3
Deptt of CSE, St MEC, Alwar
Abstract: Intrusion detection systems (IDSs) aim at detecting
attack against computer systems and networks or in general,
against information system. With the rapid growing
unauthorized activities in network, Intrusion Detection as a
component of defence is very necessary because traditional
firewall techniques cannot provide complete protection against
intrusion. Network – based IDSs are designed to monitor
potential attacks in enterprise network information security.
Detection of intrusions falls in two categories anomaly and
signature detection. This paper describes about various types of
IDS like Network–based IDS, Host-based IDS and Hybrid IDSs.
Further, evaluation of average intrusive events using signature
detection technique for enterprise information security is
presented.
Keywords : IDS, Attack, Security, Enterprise, Events
1. Introduction
The movement towards a more secured computing system
continues to rise as management becomes cognizant of
numerous threats that exist to their enterprises [3]. As
internet-based and Intranet-based network system are
growing, to share information and conduct business with
online partners. However hackers have also learned to use
these systems to access private networks and resources.
Studies show that many enterprises have suffered external
and internal network intrusions, including some that
resulted in sizable loss of money. Enterprise systems are
subject to various types of attacks. For example, hackers can
penetrate systems by taking advantage of bugs or by
acquiring passwords. Traditional security products can be
penetrated from outside and can also leave organization
vulnerable to internal attacks. Network – based IDSs solve
these problems by detecting external and internal security
breaches as they happen and immediately notifying security
personnel and network administrator by email or pager[2]
This type of system covers an entire organization by
deploying monitoring agents on local networks, between
subnets, and even on remote networks on internet. The rest
of paper is organized as follows. Second section discusses
character tics of good intrusion detection system and need of
intrusion detection system to secure enterprise information.
Section three presents various types of intrusion detection
systems like Host–based IDS, Network-based IDS and
Hybrid IDS and fifth section evaluates Intrusion Detection
Vol. 2, No. 9, September 2010
techniques for Enterprise Information Security.
2. Intrusion Detection System
An intrusion detection system is software and/ or hardware
designed to detect unwanted attempt at accessing,
manipulating and disabling of computer systems, mainly
through a network, such as the internet. These attempts may
take the forms of attacks, as i.e. by crackers, malware and
disgruntled employees. An intrusion detection system is
used to detect several types of malicious behaviors that can
compromise the security and trust of computer system. This
includes network attacks against vulnerable services, data
driven attacks on applications, host based attacks such as
privilege escalation, unauthorized logins and access to
sensitive files and malware.
2.1 Need of Intrusion Detection System
The security incidents that occur on a network, the vast
majority (up to 85 percent by many estimates) come from
inside the network. These attacks may consist of otherwise
authorized users who are disgruntled employees. The
remainder come from the outside, in the form of denial of
service attacks or attempts to penetrate a network
infrastructure. An intrusion detection system remains the
only proactive means of detecting and responding to threats
that stem from both inside and outside a corporate network.
Intrusion detection Systems are integral and necessary
element of a complete information security infrastructure
performing as “the logical complement to network
firewalls”[1]. Simply put, IDS tools allow for complete
supervisions of networks, regardless of the action being
taken such that information will always exist to determine
the nature of the security incident and its source. Study
shows that nearly all large enterprises and most medium-
sized organizations have installed some form of intrusion
detection tools [6]. However it is clear that given the
increasing frequency of security incidents, any entity with a
presence on the internet should have some form of IDS
running as a line of defence. Network attacks and intrusions
can be motivated by financial, political, military, or personal
reasons, so no company should feel immune. Realistically, if
there is a network then this is a potential target, and should
have some form of IDS installed on system.
2.2 Characteristics of good Intrusion Detection System
Regardless of whether the IDSs are based on misuse or
anomaly detection, it should possess the following
characteristics [4]
110
• Run continually without human supervision – must be
adequately reliable to operate in the background.
• Fault tolerant – able to survive a system crash without
requiring its knowledge to re-built when restarted.
• Resist subversion – able to be monitor itself to ensure it
is not being subverted.
• Minimal system overhead – must not adversely affect
the system performance.
• Observe deviations from normal behavior.
• Easily tailored and adaptable to changing usage
patterns of the host system.
• Cope with changing system behavior over time as new
applications are added.
2.3 Types of Intrusion Detection System
Intrusion detection system has various types and approaches
for the goal of detecting suspicious traffic in different ways.
There are network based (NIDS), host based (HIDS) and
hybrid intrusion detection systems.
• Network-Based Intrusion Detection System : Network-
Based IDS are placed at a strategic point or points
within the network to monitor traffic to and from all
devices on the network. Ideally this would scan all
inbound and outbound traffic; however doing so might
create a bottleneck that would impair the overall speed
of network.
• Host-Based Intrusion Detection System : Host-Based IDS
are run on individual hosts or devices on the network. A
HIDS monitors the inbound and outbound packets from
the devices only and will alert the user or administrator
of suspicious activity is detected.
Hybrid Systems : A hybrid system is simply an IDS that has
features of both host-based and network-based systems are
becoming the norm, but most IDS’s still are stronger in one
area or the other. A host-based system complemented by a
handful of inexpensive network monitoring tools can make
for a complete strategy [7].
3. Intrusion Detection Techniques
This section presents basically two types of intrusion
detection system techniques for enterprise information
security first, anomaly detection and second is signature or
misuse detection.
3.1 Anomaly Detection
The IDS establishes a baseline of normal usage patterns, and
anything that widely deviates from it gets flagged as a
possible intrusion. What is considered to be an anomaly can
vary, but normally, any incident that occurs on frequency
greater than or less than two standard deviations from the
statistical norms raise an eyebrow. For an example, if a
computer used at 2.00 am when normally no one outside of
business hours should have access, this should raise some
suspicious activity. At another level, anomaly detection can
investigate user patterns, such as profiling the programs
executed daily. If a user in a graphics department suddenly
starts accessing accounting programs or compiling code, the
system can properly alerts its administrator.
3.2 Signature Detection
This method uses specifically known patterns of
unauthorized behaviour to predict and detect subsequent
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
similar attempts. These specific patterns are called
signatures. For HIDS, one example of a signature is “three
failed logins” and for NIDS, a signature can be simple as a
specific pattern that matches a portion of network packet.
For instance, packet content signatures and /or header
content signature can indicate unauthorized actions, such as
improper FTP initiation. The occurrence of a signature
might not signify an actual attempted unauthorized access,
but it is good idea to take each alert seriously. Depending on
the robustness and seriousness of a signature that is
triggered, some alarm, response, or notification should be
sent to proper authorities [5]
4. Evaluation of ID Techniques For Enterprise
Information Security
This section, presents the implementation of Intrusion
Detection techniques using signature detection algorithms
through Sax2 simulator, which provides a simulation
platform to detect intrusion events in the enterprise network.
Sax2 is a professional intrusion detection and response
system that performs real-time packet capturing, 24/7
network monitoring, advanced protocol analyzing and
automatic expert detection. These specific patterns are
called signatures. Depending the robustness and seriousness
of a signature that is triggered, some alarm, response, or
notification should be sent to proper authorities.
4.1 Results
Analysis and observation of average intrusion detection in
real-time network using signature detection technique as
shown in figure 1, 2, 3, 4 and 5 with respect to different
timings is done. Attack events are categorized as notice
based, warning based, information and others.
• Average Intrusion Events in percentage for 17 Hosts on
Network after 15 minutes is shown in figure 1. (45%
notice based, 3% warning based, 45% information based
and 7% others type).
50
45
45 %, N o t ic e
40
35
3% , Wa rning
30
25
20
45 % ,
15
Info rm a t io n
7%, O the rs
10
5
0
S t at is tics Ite m
Figure 1: Average intrusion due to various statistics
item for 17 hosts on real-time network after 15 minutes
 (IJCNS) International Journal of Computer and Network Security, 111
Vol. 2, No. 9, September 2010

50

45
4 6 %, Not ice 50
40
45
35 4 6 %, N o t ice
3 % , Warning 40
30
35
25 3 % , W arning
30
43%,
20
Inf ormat ion 25
15
43% ,
20
8 %, Ot hers Inf o rmat i o n
10 15
8 %, O t her s
5 10

0 5

St at ist ics It em
S ta tis tics Ite m

Figure 2: Average intrusion events due to various

statistics items in real-time network after 30 minutes
• Average Intrusion Events in percentage for 17 Hosts on
Network after 30 minutes is shown in figure 2. (46%
notice based, 3% warning based, 43% information based
and 8% others types).
Figure 4: Average intrusion events due to various
statistics items for 17 hosts on real-time network after
60 minutes
• Average Intrusion Events in percentage for 17 Hosts on
Network after 75 minutes is shown in figure 5. (47%
notice based, 3% warning based, 42% information based
and 8% others types).

• Average Intrusion Events in percentage for 17 Hosts on

Network after 45 minutes is shown in figure 3. (46%
notice based, 3% warning based, 44% information based 50

and 7% others types). 45

4 7%, Not ice
40
35
30
3 % , Warning
25
20 42%,
50 15 Inf ormat ion
45 10 8 %, Ot hers
46%, Notice
40 5
35 0
30

25 3% , Warning
20
15
10 44% , Information Statistics Item
5
0

7%, Others Figure 5: Average intrusion events due to various

•
St at istics Item
Figure 3: Average intrusion events due to various
statistics items for 17 hosts on real-time network after
45 minutes
• Average Intrusion Events in percentage for 17 Hosts on
Network after 60 minutes is shown in figure 4. (46%
notice based, 3% warning based, 43% information based
and 8% others types).
statistics items for 17 hosts on real-time network after
75 minutes
After observing the results it is found that majority of
attacks on Enterprise information are of notice and
information based (around 89 %) so there is a need to
design an Intrusion Detection system with better protection
in these two areas for Enterprise information security.
5. Conclusion
A computer system should provide confidentiality, integrity
and assurance against viruses, worms and denial of service.
However due to increased connectivity on the internet and
vast spectrum of financial possibilities that are opening up,
more systems are subject to attack by intruder. Network–
based IDSs solves these problems by detecting external and
internal security breaches as they happen and immediately
112 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

notifying security personnel and network administrator by conferences. He is recipient of Young Scientist Award by
email or pager. Evaluation of Intrusion Detection techniques International Academy of Physical Sciences for research work. He
for Enterprise Information Security was done using Sax2 is also Principal Investigator of two projects funded by National
agencies in area of Ubiquitous computing and MANET security.
simulator. Evaluation of average intrusive events in real-
His research interests include mobile communication, computer
time network for different hosts with respect to different networks and information security.
timings is also done. After analysis and observation of
intrusion detection in real-time network using signature
detection technique as shown in above mentioned figures, it Amrit Pal received the B.E. degree in Computer
is concluded that notice and information based attacks Science and Engineering from LIET Alwar
require more attention than warning based and others types affiliated to Rajasthan University, India in year
of attack on network. Attacks can be detected very 2005. He obtained his MTech degree with
efficiently using signature detection technique on enterprise DISTINCTION in Computer Sc & Engg from GJ
network. University of Science and Technology, Hisar,
India. He is working as Assistant Professor in St
MEC Alwar, India. His research interests include Computer
References Forensic and information security.
[1]. Bace and Rebecca, “An Introduction to Intrusion
Detection and Assessment: System and Network
Security Management”. ICSA White paper, 1998.
[2]. Chris H, Detecting Attacks on Network, McGraw Hill,
1997.
[3]. Garuba M, Liu C and Fraites D, “Intrusion Techniques:
Comparative Study of Network Intrusion Detection
Systems” Proc of IEEE Fifth International Conference
on Information Technology, IEEE Computer Society,
pp 794-798, 2008.
[4]. Hart R, Morgan D and Tran H, “Introduction to
automated intrusion detection approaches” Journal of
Information Management and Computer Security, pp
76-82, 1999.
[5]. Paul I and Oba M, An introduction to Intrusion
Detection System, John Wiley & Sons, 2001.
[6] Sans, “Intrusion Detection and Vulnerability Testing
Tools: 101 security solution” E-Alert News letters,
2001.
[7] Tony B, Introduction to Intrusion Detection Systems:
[Online] www.aboutids.com, 2001.

Authors Profile

Kanwarpreet Singh received the MBA degree

from FIIB New Delhi, India in year 1999. He is
doing PhD degree in the area of Management
Information System and Computer Forensics. He
has more then 10 years of experience in IT
industry. He is currently working with IBM India.
His research interests include Computer Forensic
and information security.

Yogesh Chaba received the B.E. degree in

Computer Science and Engineering from
Marathwada University, Aurangabad
with Distinction in year 1993. He obtained his
MS degree in Software Systems from BITS
Pilani and PhD degree in Computer Science and
Engineering from GJ University of Science and
Technology, Hisar, India respectively. He worked as Chairman,
Department of Computer Science and Engineering, Guru
Jambheshwar University of Science and Technology, Hisar for
three years. He has 15 years of teaching and research experience in
field of Computer Science and Engineering. He has 68 national
and international publications to his credit in reputed journals and
 (IJCNS) International Journal of Computer and Network Security, 113
Vol. 2, No. 9, September 2010

Evaluation of Destructive and Negative Effects of

using Computers, the Internet and Computer Games
on Students
Mehdi Soltani
Azerbaijan National Academy of Sciences,
Institute of Information Technology,
Baku, Azerbaijan
me_soltani@ymail.com

the Internet is a third part of paper. Finally I have described

Abstract: Information Technology (IT) in present world is
developing swiftly, even our daily life is affected, as well and
its presence is felt at school, home, and office etc. Children
benefit these facilities more than adults. Despite the positive
aspects, if IT is not controlled, it can have negative impacts as
well as destructive mental and social effects on children. This
paper evaluates destructive effects of using computers and the
Internet on children so that through controlling these
technologies, cause children to improve and develop in IT era.
Keywords: Computer; Internet; children; adolescents
1. Introduction
Psychologists believe that addiction to Internet games causes
serious behavior disorders and could have destructive effects
on their social relationships. Many online games addicts due
to failure in these games or negative excitement are obsessed
by stress, depression or anger and even commit suicide.
One of the reasons for children’s bedwetting (nocturnal
enuresis) is horrifying computer games. They play the
games alone and sometimes for hours unchecked. Childhood
experiences will be continued in adult life. Person who plays
sentimentally will be sentimental to end of their lives. Some
families prevent their children from playing electronic
games. In fact when the parents prevent them from playing
such games, children get much more enthusiastic play and
they use every opportunity, even secretly, to play these
games [6].
American psychologists have mentioned addiction to online
games as a serious behavior disorder among the users and
have warned about its destructive effects on social
relationships. Almost 6.5 million people pay monthly
average of 15$ for the online games subscription worldwide.
Studies have shown that there is an addiction behavior
pattern among the Internet users. Investigations have
reported the prevalence of 6% to 80% [4]. The most
disturbing aspect of the Internet addiction is the damage to
children. They get attached to multiplayer games and even
vulgar sites easily [14].
In this paper, I have described Evaluation of destructive and
negative effects of using computers in five parts, the Internet
and computer games on students in the four parts. In first
part, I have presented Physical complications resulting from
using computer. I have defined Negative effects of using
computer games in the second part. Negative effects of using
conclusion of this paper.
2. Physical complications resulting from using
computer
2.1 Vision problems
Vision problems are the most common problems that are
resulted by long hours of working with computer. Restless
Legs Syndrome (RLS) include exhaustion, pain, burning,
redness, headache, runny eyes, drowsiness, hyperopic,
myopia, weakness and blurred vision are some of complains
that bring patients to clinics [7, 8]. Also the eye’s muscles
get tired of light or brightness changes or direction of sight
change between the screen and the characters that are being
typed. Besides, due to the large displacement of words, the
eyes gradually lose their adaptation ability [5].
People with uncorrected refractive disorders are more at risk
[8]. These diseases are due to:
• Excessive look to the screen.
• Inappropriate distance between the screen and the
person.
• Insufficient light in the room.
• Unsuitable glasses while working with computer.
2.2 Joint, muscular and skeletal systems complications
Other most common syndromes due to working with
computer are: Muscular pains, carpal tunnel and arm
syndrome or tendonitis [9]. Neck and back pain in the long
term, hypnosis and positional scoliosis are among other
complications [11].
Usually computer users keep their wrists, forearms, hands,
arms, back and neck in a fixed mode and this puts great
pressure on their muscles in long term and therefore, it can
also lead to problems in muscles, joints and skeleton.
In this regard, ergonomic factors such as repetitive motion,
way of sitting, view angle, desk and chair position, height of
keyboard and monitor, lighting conditions, typing speed,
lack of mental composure, etc can be major risk factors.
Children who sit for a long time in front of computer and
participate less in physical activities (such as sports) are at
risk of obesity [10]. As the time passes, they will have spinal
and skeleton problems and rigidity in neck, shoulder and
wrist [16, 17].
114
2.3 Skin problems
High voltage of picture tube causes to produce electrostatic
field and a positive electric charge in the external surface of
the screen. Dust particles move in all directions in the field
between the positive charge and operator’s face. Although
the amounts of dust particles, depending on room
ventilation, flooring and other factors changes, they, always
exist.
The positive charge current in this field may cause dryness
and crack in hands and face skin in people who have skin
allergies.
Other studies have also shown that people who complain
about skin allergies and are under mental and psychic
pressure when working more, the pressure and stress can
cause hormonal changes, such as thyroxin (thyroid
hormone) and prolactin (pituitary hormone) and also skin
loss.
Another research, which was conducted in Sweden,
attributes the face skin loss and working with computers to
psychosocial factors and workplace issues. Of course,
personal factors are effective in the incidence of these losses.
2.4 Stress and neurotic-psychic issues
Initially convulsion is created by a special form of epilepsy.
Light sensitive epilepsy is formed when children have high
sensitivity to flickering lights. In this case, the convulsion
begins when they are in front of the screen bright lights and
the flash caused by computer games. Symptoms are varies,
including headache, change in sight field, vertigo, dizziness,
cognizance decrease and convulsion. Symptoms will
disappear as soon as they stop using the computer [1, 15].
High workload and remoteness from colleagues at work can
lead to psychological problems. It should be noted, however,
that working with computer does not necessarily cause
depression, but high workload plays a role in creating
psychological stress. These diseases are nervous or mental
tic such as blinking, shoulder unusual movements, nausea
and vertigo [13].
2.5 Breathing hazardous gases
Latest research shows PC hardware is full of variety of
metals and toxic substances contaminating the environment.
“Lead” (used in cathode ray tubes), “Arsenic” (used in older
CRTs), “Antimony trioxide” (used as anti-fire),
“Polybrominated materials”
(Used as anti-fire in cables, circuits and plastic materials in
computers) are some materials that could be mentioned.
"Selenium" (as a power supply circuits’ rectifier),
"Cadmium" (used in computer’s circuit boards and
semiconductors), "chromium" (to prevent corrosion of metal
parts of the computer), "cobalt" (used in metals for plasticity
and magnetic) and "Mercury" (in the computer’s switch) are
other toxic and pollutant substances used in PCs.
Computer framework and screens have a special smell when
they get warm. Dioxins gas produced by the computer body
(because of heat) and the screen is an example of these
odors. These materials are used in the framework of the
screens and boards as fireproof. The ozone gas is produced
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
while laser printer is working which harms nasal mucous
tissue, eyes and throat. Therefore, importers or producers of
computers have to observe the required standards.
3. Negative effects of using computer games
Many of these people play in a fictional universe for a long
time. Disadvantages of computer games are:
3.1 Physical damages
Because of staring at the screen continuously, the eyes are
under strong pressure of light and will undergo
complications. Observations have shown that teenagers are
so much absorbed by the games that do not notice the
amount of visual and mental pressure putt on themselves.
Since they sit in a constant fixed position, the skeleton will
be afflicted by some abnormalities. Also twinge and stiff
neck, shoulders and wrists are the other complications
caused by relatively fixed and long-term working with
computers. Skin exposes to continuous radiation of monitor.
Nausea and vertigo, especially in children and teenagers
with epilepsy background, are other computer
complications. Stirring computer games result in bone and
nerve diseases in hands and arms.
3.2 Psychological and nurturing injuries
3.2.1 Strengthen the sense of aggression
The main characteristic of computer games is that most of
them are in warlike settings and the gamer must fight with
so-called enemy forces to reach the next stage of the game.
The continuation of playing such games will make children
aggressive and quarrelsome.“Violence” is the most
important motivation used extremely in designing the
newest and most attractive computer games. Hollywood
celebrities, who are immoral and anti-value in our culture,
are being shown as an insuperable hero in these games.
3.2.2 Isolationism
Children who continuously involved with these games tend
to be introvert and they are recluse in society and have
anomalies in social communication [1].
3.3 Mental retardation
In these games because children and teenagers play created
programs with others, and since they are not able to change
them, their confidence of creation and improvement will be
instable.
Most families think that the gamer has a continuous mental
involvement in the games, but this involvement is not
mentally, rather they deceive brain cells and from the
physical active point of view there is only some fingers
movement. If we continue this manner and develop the
games, the society will have frustrated, depressed, non-
active and uncreative members. They would be less self
reliant and creative, while society needs creative, innovative
and contemplative people [12].
Recent researches indicate that computer games lead to
chronic brain damage. Games just stimulate parts of the
brain that are dedicated to the vision and motion and do not
help developing other parts. Frontal lobe does not develop in
children who devote long hours to play computer games.
Frontal lope plays an important role in the development of
 (IJCNS) International Journal of Computer and Network Security, 115
memory, emotion and learning. People, whose frontal lobes
are not evolved, are susceptible being violent and have less
ability to control their behavior.
3.4 Impact on family relationships
Considering that life in our country, Iran is going towards
machinelike life and in some families, parents are employed
or some fathers have more than one job, emotional
relationships and getting together in families have been
decreased automatically. A lot of people are not satisfied
with this situation and existence of computer as a magic box
which has resulted in cold family relationships [4, 12].
3.5 Educational failure
Due to the glamorous attraction of these games, children
spend a lot of their time and put their energy to play. Even
some children, wake up earlier than usual in the morning to
play a little before school and compensate for the wasted
time in this way. One parent states that last year her son had
had the best scores, but since they had bought a computer
for him, he spends 2-3 hours a day to play and has had
educational failure [4, 12].
4. Negative effects of using the Internet
4.1 Internet Addiction
The addicts to the Internet spend long hours during the day
using this media, in a way that their job and social
performance is influenced. This type of abnormal usage is
called internet addiction by experts. The reason for internet
addiction in many of these people is to find a way to
suppress anxiety and stress in their lives. According to the
researchers, dissociable people and those who have problem
in their social and interpersonal communications, are more
likely to become the Internet addicts.
Known symptoms of this disorder include:
• Using computers for fun, enjoyment or stress
relief.
• Extreme depression when they do not use the
Internet.
• Spending a lot of time and money for
software, hardware and computer-related
activities.
• Being carefree towards work, school and
family.
• Uncontrollable feeling of irritability while
using computer
One of the negative aspects of the Internet is entering
anonymously. Teenagers have the opportunity to do
whatever they would like to in the Internet.
They get disturbed when they are asked about how they use
the Internet by adults because they regard the Internet as a
private place for themselves. Internet is replaced with public
space for them. In this case they will have more experiences
and information about how to control and use this new
medium. The only problem is that the relationship between
youth and adults vanishes in cyberspace. Puberty is a critical
stage that an adolescent discovers and internalizes the
values.
Internet with its unlimited volume of information and
instant communication tools, introduces other tools to create
Vol. 2, No. 9, September 2010
identity for teenagers through search. We should know that
many interactions in the Internet require no human contacts
[14].
4.2 Immoral websites
Immoral websites have become a catastrophe on the Internet
these days. Through providing immoral and obscene content
and images, these sites have jeopardized mental and
emotional health of teenagers and therefore societies’
health. Most of these sites try to destroy the culture and
values of a society.
4.3 Chat
Chat rooms are used by a great deal of teenagers on the
internet. These rooms are suitable place to meet and
converse with other children and teenagers around the
world. But a lot of abuse is done by swindlers in these rooms
including:
• presenting invalid personal information,
• Abuse of people’s information
• Deceiving adolescents by contacting and making
appointments.
These matters lead to seducing adolescents and therefore
corruption in societies.
4.4 Impact of internet games
Today, electronic and computer games development has
become a great threat for teenagers and youth. This can lead
to mental disorders and depression among youth as well. In
the past, games were done through children's
communication with each other.
But today, they spend most hours of the day to play
computer games since having being aware of such games,
while this communication does not make any emotional and
human relations. Effect of games in children and teenagers
is especially creating violence among them. Researches
show that the effect of games on violent behavior in children
and teenagers depends on several factors [4, 3]:
• Severity of violence in games.
• Child's ability to discern and differentiate between
imaginary world and real life.
• Child's capability to restrain the natural tendency
and motivations.
• The value framework in which the child is growing
or living now and the values that game content is
presenting.
4.4.1 Social impact on person
Relationships between individuals on the Internet is
superficial and does not have the depth, this type of
communication lacks features such as proximity, regular
contact, deep influence, exchanging information about
social context [2].
4.4.2 Being cut off
While the Internet can connect human being electronically,
but it stops "face to face" communication. So it will reduce
human relations and social cohesion.
4.4.3 Mental involvement
One of the problems mentioned by psychiatrists about
children and teenagers who spend long hours in chat rooms
116 (IJCNS) International Journal of Computer and Network Security,
is mental involvement which is caused by creating mental
images that are produced by the materials exchanged among
people in these chat rooms. It causes mental disorders
including depression.
4.4.4 Internet effect on social skills
Online games delay appropriate development of child’s
social skills. When the child becomes addicted to the
Internet, his motivation for interacting with others will
decrease. This has negative effects on their personal
relationship and social interactions [2]. Recent studies show
that using the Internet cause to feel misery, loneliness and
totally reduced mental health. People who use the Internet
more keep the friendships less. They spend less time to talk
to family, experience more stress and feel lonely and
depressed.
4.4.5 Internet and families
Using the Internet affects family relationships for several
reasons:
• Using Internet is a time-consuming activity so it
can reduce children’s interaction with family.
Dedicated time to interact with each other is
prerequisite for a high quality relationship. In
a study, 50% of families stated when they are
online they speak less and 41% admitted they
had learned anti-social behavior during this
time.
• Internet creates new conflicts within the family.
When there is only one computer at home,
there will be a competition between children
and parents to use the computer which
sometimes causes struggle.
• Visiting web pages that have inappropriate
contents for child's age causes argument and
conflict between parents and children.
• Sometime conflict is because of child’s access to
parents’ private information.
• Parents are concerned that Internet may prevent
children from other activities and have
isolating effects on them.
5. Conclusion
In recent years, computer and internet gradually have been
replaced with television to some extent and likely in the
near future will play more significant role than television in
children and teenagers’ lives. If this technology is used
correctly, it has positive effects. Yet it is inferred from the
content of this paper that the risks of its uncontrolled and
incorrect application, threatens all users especially children.
To ensure optimum use and that computer improves
children's lives in the present and future considering the
following suggestions may help in general:
• Parents should get familiar with computers and take
training courses in this field and learn some tips
from children, if necessary.
• Talk with children about how to use computers and
risks that may threaten them while they are online.
• Putting the computer in a place at home that child’s
activities could be controllable.
Vol. 2, No. 9, September 2010
• Limit the time of computer use, if the child has
reduced social contacts. Excessive use of computer
usually indicates a problem.
• Accompany children when they are in chat room.
• Revise children’s e-mail and delete inappropriate
messages.
• Using filter software to prevent from visiting
inappropriate content. Such software could also log
the child’s visited site addresses so parents can
review them later.
• Of course, no software can be replaced with parents
association with children.
• Programs should be suitable with the child's growth
and development.
• Encourage child to interact with the family rather
than excessive use of computers.
• Computer should be as an educational complement
tool; not as the only way of training.
• Choosing appropriate programs with children's age.
• Controlling the access ways to computer.
• Enhancing parents and teachers’ computer literacy.
• Providing educational programs for parents, teachers
and others who work with children.
• Some researches should be done on the effects of
computer on physical, intellectual, rational, social
and psychological development of children.
References
[1] M.K Shields, R.E Beharman, “Children and computer
technology:Analysis and recommendations”, The
future of children and computer technology, Vol.10.
No.2, pp. 4-30, Fall/winter2000.
[2] “Internet & its affect on social live” Website, May
2005, Available: http://www.ayandehnegar.com.
[3] “ICTs and children” Website, April 2004, Available:
www.wiki.media-culture.org.au.
[4] B. Affonoso, “Is the internet affecting the social skills
of our children?”, December 1.1999,
Available:http://www.sierrasource.com/cep612/internet
.html.
[5] L.K. Wan. “Children and computer vision syndrome”,
2005, Available: www.allaboutvision.com.
[6] Saeed. Shamlou, “Mental Health”, Roshd Publication,
2001, pp. 4-30.
[7] M. Emick, “Study finds direct link between computer
use and vision problems in children”, Mar 2002,
Available:www.allaboutvision.com/cvs/productivity.ht
m
[8] A. Azimi, M. Salehi, F. Salehi, H. Masoudi, “affect of
work with computer on vision performance”, the secret
of better life. Vol 30, pp. 33-41, Fall 2004.
[9] “What’s new in health care computers cause vision
problems in children. Johns Hopkins University
Website”, April 1.2002, Available: www.jhu.edu.
[10] S.S Lang, “Cornell ergunomist offers web guide lines
on how children can avoid injury while at their
computers”,
Available:http://ergo.human.cornell.edu/MBergo/schoo
lguide.html, Feb 2010.
 (IJCNS) International Journal of Computer and Network Security, 117
Vol. 2, No. 9, September 2010

[11] Health Development, “Computer technology and

children-physical and psychological development”, Oct
2004, Available: www.public.iastate.edu.
[12] “The internet: A positive or negative influence on
children”,2005,Available:
www.firstclass.wellesley.edu.
[13] “Computer illnesses”, July 2002,
Available:www.hasht.com.
[14] “Recognize of adict to Internet”, September 2002,
Available: www.hasht.com.
[15] “Stress is main reason of Internet Adict”, August
2002, Available: www.hasht.com.
[16] M. Carelse, “Computer games:Are they harming your
children?”, 2005, Available: www.gentleparents.com.
[17] “Computer games linked to learning problems”,
August 2001, Available: www.news.zdnet.com.
118 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Efficient Buffer management Policy DLA for DTN

Routing Protocols under Congestion
Sulma Rashid1, Qaisar Ayub2
Universiti Teknologi Malaysia (UTM)
, Faculty of Computer Science & Information System,
Department of Computer System & Communication
Skudai - Johor, 81310, Malaysia
1
sulmaqaiser@gmail.com
2
sheikhqaisar@gmail.com

Abstract: In DTN networks end-to-end path may not be exist
and disconnections may occur frequently due to propagation
delay, node mobility, power outage and operational environment
(deep space underwater). Thus transmission in such
environments follow store-carry-forward strategy in which a
node store the message in buffer, carries it while moving and
transmit when connection becomes available. In addition
multiple copies of message may be forwarded to increase the
delivery probability. In such case the node buffer becomes the
critical recourse and need to be managed effectively to overcome
congestion and message drop ratio. The efficient buffer
management policy deals which message to drop when
congestion arises. In this paper we propose a new buffer
management policy for DTN in which when the node buffer is
congested and it needs to store a new message, the large size
message from the buffer will be dropped. The strategy is called
drop largest (DLA). We prove through the simulation that our
buffer management policy (DLA) outperforms well as compared
to existing Drop Oldest.
Keywords: Delay Tolerance Network DTN, DLA (Drop
largest), DO (Drop oldest), Algorithm
buffer management issues, but an efficient [13] buffer
management scheme is still required to overcome
congestion.
In this work we propose an efficient buffer management
policy (DLA) to improve message delivery, message drop,
overhead ratio and buffer time average under highly
congested network. To evaluate the performance of our
proposed buffer management policy we use ONE simulator
[5]. We have performed the simulations with spray&wait,
direct contact, First contact and Epidemic routing protocols.
The proposed scheme performs well only delivery ratio in
case of epidemic routing is minimized.
The rest of paper is organized follows Section 2 discuss
existing buffer management policies. Section 3 summarizes
performance metrics. Section 4 describes evaluation our
buffer management policy under routing protocols. Section
5 is about proposed algorithm (DLA). Section 6-7 is for
simulation results and conclusion.

1. Introduction 2. Existing buffer management policies

The traditional network (Ad-hoc, TCP/IP) required end-to-
end path and can not be implemented in rebellion wireless
applications e.g. Military networks, vehicle ad hoc network,
wild life tracking sensor networks where the connectivity is
not stable due to node mobility, low power nodes
periodically shutting down. In order to cope with
disconnections researcher have proposed a new protocol
Delay Tolerance Network DTN [1], [2], [7] and [14]. DTN
routing protocols have adopted a “store-carry forward”
paradigm, where each node in the network stores a packet
that has been forwarded to it by other nodes, carries the
packet while it moves around, and forwards or duplicates it
to other nodes (or the destination node) when they come
within transmission range.
Nodes under DTN protocol may not have complete
information about network; therefore message is replicated
to increase the delivery probability like Epidemic [6]. Due to
low data rates and short duration of node encounters
epidemic was modified by spray-and-wait [2-4], K-hop
probabilistic forwarding [12].
It is evicted that storage of message for long time and its
replication [6], [14], [3] make buffer run out of capacity and
effect the performance of router. Some recent work [8]-[11],
[17] and [18] addressed few transmission scheduling and
2.1 Drop Random(DR)
The selection of message to be dropped is random.
2.2 Drop –Least-Recently-Received (DLR)
The message with the long stay time in buffer will be
dropped. The idea is that the packet with in buffer for long
time has less probability to be passed to other nodes.
2.3 Drop-Oldest (DOA)
The message with the shorted remaining life time (TTL) in
network is dropped. The idea of dropping such packet is that
if packet TTL is small, it is in the network for long time and
thus has high probability to be already delivered.
2.4 DL-Drop last(DL)
It drops the newly received message.
2.5 Drop front(DF)
The message that enters first in the queue is dropped first.
2.6 N-Drop
In N-Dropt [17], the message that does N number of
forwarding will be selected to drop.
 (IJCNS) International Journal of Computer and Network Security, 119
Vol. 2, No. 9, September 2010

3. Performance metrics probability of reaching their destination.

3.1 Message delivery

5. Algorithm (DLA)
It is a function of measuring messages that are correctly
received by the final destination within a given time period. In normal scenario there are two possibilities where a
message will be dropped, after expiration of TTL, when
delivered to destination. When node buffer is fully occupied
3.2 Buffer time average and a new message turns up, the problem is which message
The buffer time average is the function of measuring the from buffer will be chosen to drop (Congestion drop).
average time spends by all messages in node buffer. Assume M messages are propagated in the network using
replication. We consider a time instant where NODE-A is
3.3 Message drop
packed full and a new message copy M6 of size 300kb
It is a function to count number of messages dropped during arrives from NODE-B.
transmission.
Node-A Node-B
3.4 Overhead ratio
It is negation of number of message relayed to message
delivered.

4. Routing protocol under evaluation Figure 1. Congested buffer

4.1 Spray&wait (SW) DOA algorithm drop oldest messages from buffer until room
of 300kb becomes available, NODE-A will drop M1, M2,
Spray & wait [3] is a routing protocol that attempts to gain M3, and M4 to free enough space (300kb) for new message.
the delivery ratio benefits of replication-based routing as DOA algorithm drop oldest messages from buffer until room
well as the low resource utilization benefits of forwarding- of 300kb becomes available, NODE-A will drop M1, M2,
based routing like direct transmission. M3, and M4 to free enough space (300kb) for new message.
The Spray and Wait protocol is composed of two phases: DLA policy drop large size message which is M5. Hence the
the spray phase and the wait phase. When a new message is drop and overhead is considerably reduced while message
created in the system, a number L is attached to that (M1, M2, M3, and M4) stay in network which increase the
message indicating the maximum allowable copies of the delivery of messages.
message in the network. During the spray phase, the source
Table 1: Variables
of the message is responsible for "spraying", or delivery, to
Variable Description
one copy to L distinct "relays". When a relay receives the Ni Number of i node i={1,2,3….n}
copy, it enters the wait phase, where the relay simply holds SM Size of message
that particular message until the destination is encountered BN Buffer size at each node
directly. In other words, Spray and Wait could be viewed as BNA Buffer available at each node
a tradeoff between single and multi-copy schemes. Nc Node holding the connection counter
MN New message
4.2 First contact (FC) MR Messages currently help by router
In first contact [15] and [16] routing, the router transmits Bu Buffer in use
the message randomly as other nodes come under its
Check available buffer space
communication range. Under congested networks the for each message in MR
messages can not route. Bu = getsize (MRi) + Bu;
4.3 Direct delivery (DD) end loop;
BNA = BN-Bu
The source node [16] transmits the message to other node if SM (Node or Relay) < BNA THEN
only when other node is its destination. ADD (MRiàBN, MN)
end if;
Direct delivery can be considered a hybrid technique as one if SM(Source or Relay) > BNA THEN
can include it in flooding where Direct Delivery always /* drop some message to make room for new message*/
select the direct path between source and destination. Greatest = 0;
/* Find the message with large size */
while (SM >BNA)
4.4 Epidemic routing For each message M in MR
begin
Epidemic Routing [6] spread application messages to nodes, If Size (MRi ) > Greatest Then
called carriers, within connected areas of ad hoc networks. Greatest= Sizeof (MRi)
end if
In Epidemic Routing when carriers coming into contact end loop; //for loop
with another connected portion of the network through node end loop; //while loop
Remove (MRàBNA, Greatest);
mobility it spread the message to nodes. Through such end;
iterative transmission of data, messages have a high Algorithm DLA
120 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

space as described in algorithm (section 4). In Epidemic

6. Simulation and results routing the message delivery was affected but message drop
is almost half then then existing DOA, DLA have optimized
In the following section we have examined routing protocols the message drop metric.
(Section 4), with exiting (DOA) and proposed (DLA).
All the experiments were performed using ONE Simulator.
The ONE [5] Simulator is a discrete event simulator written
in Java. The main objective of simulator is to implement
DTN (store-carry-forward) of message for long time, where
the probability of disconnections and failures increased.

Table 2: Simulation setup

Number of Nodes 126
Movement model 1 Shortest path map based movement
Movement model 2 Map rout movement
Number of groups 06
Buffer size 5MB
Transmission range 10M
Transmission speed 250 K
Figure 4. Overhead ratio (DLA, DO)
Message creation interval 24-35 (seconds)
Figure 4 represents the influence of DLA and DOA with
respect to overhead. We can see clearly that overhead ratio
with DLA is decrease in all routers. In DD due to direct
transmission overhead is zero for both algorithms, while
Epidemic overhead is reduced to considerable extent.

Figure 2. Message delivery (DLA, DOA)

First we consider message delivery of routing protocols with
DOA and DLA, which is shown in figure 2. It is easy to see
that different routers have varying impact on message
delivery, but higher delivery in case of spray&wait and
direct delivery router. First contact with DLA lies between
spary&waits and Direct delivery, but gain high message
delivery then DOA. However in all the configuration of
routers, message delivery of DLA is improved then DOA
only effected in Epidemic router but improves other metrics
discussed later and is trade off.
Figure 5. Buffer time average
Fig 5 observes buffer time average with DLA and DOA. It
can be clearly seen that DLA has high value of buffer time
average with all router.
7. Conclusion & future work
In this paper we propose an efficient buffer management
policy DLA which drop large size messages when the node
buffer is congested.
Its also optimize the routers performance metrics like
message delivery , message drop, overhead ratio and buffer
time average compared to DOA. Future work is to
investigate the DLA (Drop Largest) technique with all
existing buffer management policies.

Figure 3. Message dropped (DLA, DOA) References

Figure 3 plot the impact of message drop with DLA and
DOA. In all router configurations DLA reduce the message
drops to a significant quantity. We can observe the strength
of DLA, which drop large size message and free more buffer
[1] S. Jain, K. Fall, and R. Patra, “Routing in a delay
Tolerant network,” in Proceedings of ACM SIGCOMM,
pp.145-158, 2004.
[2] T. Small and Z. J. Haas.” Resource and performance
 (IJCNS) International Journal of Computer and Network Security, 121
Vol. 2, No. 9, September 2010

Trade offs in delay-tolerant wireless networks,” in [17] Yun Li, Ling Zhao ,Zhanjun Liu,Qilie Liu.” N-Drop
SIGCOMM Workshop on Delay Tolerant Networking Congestion Control strategy under Epidemic Routing in
(WDTN), pp.260-267, 2005. DTN.” Research center for wireless information
[3] T. Spyropoulos, K. Psounis, and C. S. Ranghavendra networks,chongqing university of posts &
“Spray and wait: an efficient routing scheme for Telecommunications ,chongqing 400065,china, pp. 457-
intemitteltly connected mobile networks,” in Proceedings 460, 2009.
of the ACM SIGCOMM workshop on Delay-tolerant [18] indgren and K. S. Phanse, “Evaluation of queuing
networking.pp. 252-259, 2005. policies and forwarding strategies for routing in
[4] T. Spyropoulos, K. Psounis, and C. Raghavendra. intermittently connected networks,”in Proc. of IEEE
“Efficient Routing in Intermittently Connected Mobile COMSWARE, pp. 1-10, Jan. 2006.
Networks: The Multi-copy Case,”IEEE/ACM
Transactions on Networking (TON), vol. 16 , pp. 77-
90,Feb. 2008 Sulma Rashid She has received her MS
[5] Homepage of Opportunistic Network Environment Degree in computer science in 2007 from
(ONE). http://www.netlab.tkk._/%7Ejo/dtn/#one, Version IQRA University Islamabad Pakistan and MCS
1, Accessed July 2010. degree in 2001 from UAAR Pakistan. She has
10 years of teaching experience. Her areas of
[6] A. Vahdat and D. Becker, “Epidemic routing for
interest are DTN, Adhoc, security, Network
partially connected ad hoc networks,” Duke University, programming, Operating system, wireless networks and MANETS.
Tech. Rep. CS-200006, Apr. 2000. As a part of this paper she is working on Optimizing and
[7] K. Scott and S. Burleigh, “Bundle protocol forwarding research issues in DTN routing.
Specification.” RFC 5050, November 2007.
[8] J. Burgess, B. Gallagher, D. Jensen, and B. N. Levine. Qaisar Ayub He has obtained his MCS
“MaxProp: Routing for Vehicle-Based Disruption- Computer Science degree in 2005 from
Tolerant Networks”. In IEEE International Conference on Comsat Institute of Information Technology
Computer Communications (INFOCOM),pp. 1-1, 2006. Pakistan. And BCS (Hons.) computer science
from Allama Iqbal Open University Pakistan
[9] A. Balasubramanian, B. N. Levine, and A.
in 2003.
Venkataramani. “DTN Routing as a Resource Allocation He has 5 years of experience in conducting
Problem,”. In ACM Conference on Applications, professional trainings (Oracle, Java,) and software development.
Technologies, and Protocols for Computer As a part of this paper he is working on QOS in DTN routing.
Communication (SIGCOMM), pp. 373 – 384, 2007.
[10] D. Aldous and J. Fill, “Reversible markov chains and
random walks on graphs. (monograph in preparation.),”
http://statwww.berkeley.edu/users/aldous/RWG/book.html
.
[11] A. Krifa, C. Barakat, and T. Spyropoulos.” Optimal
buffer management policies for delay tolerant
networks”.In IEEE Communications Society Conference
on Sensor, Mesh and Ad Hoc Communications and
Networks (SECON), pp. 260-268, 2008.
[12] A. Lindgren, A. Doria, and O. Schelen, “Probabilistic
routing in intermittently connected networks,”
SIGMOBILE Mobile Computing and Communication
Review, vol. 7, no. 3, 2003.
[13] Ms. E. Jenefa JebaJothi , Dr. V. Kavitha , Ms. T.
Kavitha “Contention Based Routing in Mobile Ad Hoc
Networks with Multiple Copies” JOURNAL OF
COMPUTING, VOLUME 2, ISSUE 5, pp.14-19, MAY
2010.
[14] J.-Y. L BOUDEC, AND M. VOJNOVIC, “Perfect
Simulation and Stationary of a Class of Mobility Models”.
In Proc. Of IEEE Infocom, pp.2743 - 2754, 2005.
[15] A. KERÄNEN AND J. OTT, Increasing Reality for
DTN Protocol Simulations. Tech. rep., Helsinki
University of Technology, Networking Laboratory, July
2007.
[16] T. Spyropoulos, K. Psounis, and C. Raghavendra A,
C. S. “Single-copy routing in intermittently connected
mobile networks,” IEEE/ACM Transactions on
Networking (TON), vol. 16, pp. 63-76, Feb. 2008.
122 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010

Overview of Detecting Stego-Content in Corporate

Emails: a Web Based Steganalysis
Ms. P. T. Anitha1 and Dr. M. Rajaram2
1
Asst. Prof./MCA,
Karpagam College of Engineering,
Coimbatore 641032, Tamilnadu, India
anitha_pt@yahoo.com

2
HOD/ EEE,
Government College Engineering, Trinelveli, Tamilnadu, India,
rajaramgct@redifmail.com

Abstract: Information Security and integrity are becoming
more important as we use email for personal communication
and business. Steganography is used to hide the occurrence of
communication. Recent suggestions in US newspapers indicate
that terrorists use steganography to communicate in secret with
their accomplices. In particular, images on the Internet were
mentioned as the communication medium. While the newspaper
articles sounded very dire, none substantiated these rumors.
Today, email management is not only a filing and storage
challenge. Because law firms and attorneys must be equipped to
take control of litigation, email authenticity must be
unquestionable with strong chains of custody, constant
availability, and tamper-proof security. Email is insecure. This
Paper is designed to give the survey about how the stego content
can be detected with the help of the steganalysis methods. This
proposed will develop a steganalysis framework that will check
the Email content of corporate mails by improving the DES
algorithm with the help of neural network approach. We
anticipate that this paper can also give a clear picture of the
current trends in steganography so that we can develop and
improvise appropriate steganalysis algorithms.
Keywords: Steganalysis, Steganography, Information Hiding,
LSB, Stegdetect, Stego, Outguess
1. Introduction
The goal of steganalysis is to detect and/or estimate
potentially hidden information from observed data with little
or no knowledge about the steganography algorithm and/or
its parameters. Steganalysis is both an art and a science. The
art of steganalysis plays a major role in the selection of
features or characteristics a typical stego message might
exhibit while the science helps in reliably testing the
selected features for the presence of hidden information.
While it is possible to design a reasonably good steganalysis
technique for a specific steganographic algorithm, the long
term goal is to develop a steganalysis framework that can
work effectively at least for a class of steganography
methods, if not for all.
Current trend in steganalysis seems to suggest two extreme
approaches: (a) little or no statistical assumptions about the
image under investigation. Statistics are learnt using a large
database of training images and (b) a parametric model is
assumed for the image and its statistics are computed for
steganalysis detection. This proposed research is going to
analyze the techniques available to detect the stego content
in corporate emails.
1.1 Steganography vs. Steganalysis
Steganography is the art of covered or hidden writing [7].
The purpose of Steganography is covert communication to
hide a message from a third party. Steganography is often
confused with cryptology because the two are similar in the
way that they both are used to protect important information
[7]. The difference between the two is that Steganography
involves hiding information so it appears that no
information is hidden at all. If a person or persons views the
object that the information is hidden inside of he or she will
have no idea that there is any hidden information[11],
therefore the person will not attempt to decrypt the
information. Steganography in the modern day sense of the
word usually refers to information or a file that has been
concealed inside a digital Picture, Video or Audio file. New
steganographic techniques are being enveloped and
information hiding is becoming more advanced based on the
motives of its use. Besides the hype of terrorists using
steganography, very recently there has been a case of
corporate espionage reported by Phadnis (2007), where
confidential information was leaked to a rival firm using
steganographic tools that hid the information in music and
picture files[9]. Although the perpetrator was caught in this
case, it does give an idea of the wide landscape in which
steganography can be applied in [9].
In modern approach, depending on the nature of cover
object, steganography can be divided into five types:
• Text Steganography
• Image Steganography
• Audio Steganography
• Video Steganography
• Protocol Steganography
So, in the modern age so many steganographic techniques
have been designed which works with the above concerned
objects.
Steganalysis is the science of detecting the presence of
hidden data in the cover media files and is emerging in
parallel with steganography. Steganalysis has gained
prominence in national security and forensic sciences since
detection of hidden (ciphertext or plaintext) messages can
 (IJCNS) International Journal of Computer and Network Security, 123
lead to the prevention of disastrous security incidents.
Steganalysis is a very challenging field because of the
scarcity of knowledge about the specific characteristics of
the cover media (an image, an audio or video file) that can
be exploited to hide information and detect the same. The
approaches adopted for steganalysis also sometimes depend
on the underlying steganography algorithm(s) used.
2. Steganalysis techniques
In this paper we discuss image steganalysis though many of
the techniques are applicable to other data types as well.
Several approaches have been proposed to solve the
steganalysis problem and we broadly classify them into the
following groups:
Supervised learning based steganalysis:
Supervised learning based steganalysis techniques employ
two phase strategies: (a) training phase and (b) testing
phase. In the training phase, examples of the type f(di; ti)g
where di denotes a stego image feature(s) and ti denotes
whether a secret message is embedded or not, are provided
to a statistical classifier. The classifier “learns” the best
classification rule using these examples[2]. In the testing
phase unknown images are given as input to the trained
classifier to decide whether a secret message is present or
not. There are some steganalysis methods that do not
directly use this type of classical learning by example rather
training data is used to compute a regression model for a set
of selected features. This model is then used for
steganalysis.
Blind identification based steganalysis:
Blind identification methods pose the steganalysis problem
as a system identification problem. Some statistical
properties such the independence of host and secret message
etc. are exploited. The embedding algorithm is represented
as a channel and the goal is to invert this channel to identify
the hidden message.
Parametric statistical steganalysis:
These approaches tend to assume a certain parametric
statistical model for the cover image, stego image and the
hidden message. Steganalysis is formulated as a hypothesis
testing problem, namely, H0 :no message (null hypothesis)
and H1 :message present (alternate hypothesis). A statistical
detection algorithm is then designed to test between the two
hypotheses[10].
Hybrid techniques: Hybrid techniques overlap more than
one of the above approaches. The type and amount of
information needed for successful steganalysis is a critical
issue. The following two information types for steganalysis
have been identified
Spatial diversity information based steganalysis:
Steganalysis methods can look for information in the spatial
domain that repeats itself in various forms in different
spatial locations (e.g., different blocks within an image or,
in different images). We call this spatial diversity based
steganalysis.
Temporal diversity information based steganalysis:
Steganography information that appears repeatedly over
time can also aid steganalysis. Such techniques are called
temporal diversity information based steganalysis, e.g.,
video steganalysis[10].
Vol. 2, No. 9, September 2010
Clearly, it is important to choose a proper steganalysis
domain, appropriate features, statistical models and
parameters, detector design, user inputs such as detection
error probability etc. We discuss later some of the popular
choices of current steganalysis algorithms in this regard.
3. Image steganalysis
Algorithms for image steganalysis are primarily of two
types: Specific and Generic. The Specific approach
represents a class of image steganalysis techniques that very
much depend on the underlying steganographic algorithm
used and have a high success rate for detecting the presence
of the secret message if the message is hidden with the
algorithm for which the techniques are meant for. The
Generic approach represents a class of image steganalysis
techniques that are independent of the underlying
steganography algorithm used to hide the message and
produces good results for detecting the presence of a secrete
message hidden using new and/or unconventional
steganographic algorithms. The image steganalysis
techniques under both the specific and generic categories are
often designed to detect the presence of a secret message and
the decoding of the same is considered complementary not
mandatory[8].
3.1. Specific Image Steganalysis Algorithms
Image steganography algorithms are more often based on an
embedding mechanism called Least Significant Bit (LSB)
embedding. Each pixel in an image is represented as a 24-
bitmap value, composed of 3 bytes representing the R, G and
B values for the three primary colors Red, Green and Blue
respectively. A higher RGB value for a pixel implies larger
intensity. For instance, a pixel p represented as FF FF FF16
is composed of all of these three primary colors at their
maximum intensity and hence the color represented by this
pixel is “white”. LSB embedding exploits the fact that
changing the least significant bit of each of the three bytes
of a pixel would produce only a minor change in the
intensity of the color represented by the pixel and this
change is not perceptible to the human eye [2]. For example,
changing the color values of pixel p to FE FE FE16 would
make the color darker by a factor of 1/256. Steganography
algorithms based on LSB embedding differ on the pattern of
modification – a modification of randomly chosen pixels or
modification restricted to pixels located in certain areas of
the image[3].
Images can be represented in different formats, the three
more commonly used formats are: GIF (Graphics
Interchange Format), BMP (Bit Map) and JPEG (Joint
Photographic Exchange Group). Each of these image
formats behaves differently when a message is embedded in
it. Accordingly, there exist different image steganalysis
algorithms for each of these three image formats. We now
discuss the algorithms for each of these formats.
3.1.1. Palette Image Steganalysis
Palette image steganalysis is primarily used for GIF images.
The GIF format supports up to 8 bits per pixel and the color
of the pixel is referenced from a palette table of up to 256
distinct colors mapped to the 24-bit RGB color space. LSB
124
embedding of a GIF image changes the 24-bit RGB value of
a pixel and this could bring about a change in the palette
color (among the 256 distinct colors) of the pixel. The
strength of the steganographic algorithm lies in reducing the
probability of a change in the palette color of the pixel and
in minimizing the visible distortion that embedding of the
secret image can potentially introduce. The steganalysis of a
GIF stego image is conducted by performing a statistical
analysis of the palette table vis-à-vis the image and the
detection is made when there is an appreciable increase in
entropy (a measure of the variation in the palette colors).
The change in entropy is maximal when the embedded
message is of maximum length.
3.1.2. Raw Image Steganalysis
The Raw image steganalysis technique is primarily used for
BMP images that are characterized by a lossless LSB plane.
LSB embedding on such images causes the flipping of the
two grayscale values. The embedding of the hidden message
is more likely to result in averaging the frequency of
occurrence of the pixels with the two gray-scale values. For
example, if a raw image has 20 pixels with one gray-scale
value and 40 pixels with the other gray-scale value, then
after LSB embedding, the count of the pixels with each of
the two gray-scale values is expected to be around 30. This
approach was first proposed by Westfeld and Pfitzmann [5],
and it is based on the assumption that the message length
should be comparable to the pixel count in the cover image
(for longer messages) or the location of the hidden message
should be known (for smaller messages).
3.1.3. JPEG Image Steganalysis
JPEG is a popular cover image format used in
steganography. Two well-known Steganography algorithms
for hiding secret messages in JPEG images are: the F5
algorithm [11] and Outguess algorithm [6]. The F5
algorithm uses matrix embedding to embed bits in the DCT
(Discrete Cosine Transform) coefficients in order to
minimize the number of changes to a message.
3.2. Generic Image Steganalysis Algorithms
The generic steganalysis algorithms, usually referred to as
Universal or Blind Steganalysis algorithms, work well on all
known and unknown steganography algorithms. These
steganalysis techniques exploit the changes in certain innate
features of the cover images when a message is embedded.
The focus is on to identify the prominent features of an
image that are monotonic and changes statistically as a
result of message embedding. The generic steganalysis
algorithms are developed to precisely and maximally
distinguish these changes[9]. The accuracy of the prediction
heavily depends on the choice of the right features, which
should not vary across images of different varieties[12].
4. Evaluation of steganalysis tools
In order to evaluate the steganalysis tools, it is essential that
the whole process is forensically sound to ensure the validity
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
of the findings. Therefore, the following are the steps that
will be followed throughout the process:
1. Obtain the steganographic and steganalysis tools
2. Verify the tools (to ensure the tools is doing what it
claims)
3. Obtain cover images, and generate MD5 hashes
4. Apply steganalysis on cover images, and generate MD5
hashes
5. Generate steganographic images, and generate MD5
hashes
6. Apply steganalysis on the steganographic image, and
generate MD5 hashes
In each of the steps where the cover images or the
steganographic images are involved, MD5 hashes have been
used to verify whether the image has changed in any
sense[1].
5. Detecting Stego content in corporate mails
The proposed research is going to analyze the performance
of the improved version of image steganalysis algorithms in
corporate mails. A hybrid algorithm is under processing for
detection purpose which is going to detect the stego content
accurately. A large database is used to store the images. The
performance and the detection ratio are going to be
measured in corporate mails.
5. Conclusions
In this paper, we have analyzed the steganalysis algorithms
available for Image Steganography. In summary, each
carrier media has its own special attributes and reacts
differently when a message is embedded in it. Therefore, the
steganalysis algorithms have also been developed in a
manner specific to the target stego file and the algorithms
developed for one cover media are generally not effective for
a different media. This paper would cater well to providing
an overview of the steganalysis algorithms available for
images and proposed a new .
References
[1] Ahmed Ibrahim, Steganalysis in Computer Forensics,
Security Research Centre Conferences, Australian
Digital Forensics Conference, Edith Cowan University
Year 2007.
[2] I. Avcibas, N. Memon, and B. Sankur, “Steganalysis
using image quality metrics,” IEEE Trans. on Image
Processing, vol. 12, no. 2, pp. 221–229, Feb. 2003.
[3] R. Chandramouli, A Mathematical Approach to
Steganalysis, Proc. SPIE Security and Watermarking of
Multimedia Contents IV, California, Jan. 2002.
[4] S. Geetha , S. Siva and Sivatha Sindhu, Detection of
Stego Anomalies in Images Exploiting the Content
Independent Statistical Footprints of the Steganograms,
Department of Information Technology, Thiagarajar
College of Engineering, Madurai, , Informatica 33
(2009) 25–40
 (IJCNS) International Journal of Computer and Network Security, 125
Vol. 2, No. 9, September 2010

[5] Greg Goth, Steganalysis Gets Past the Hype, IEEE,

Distributed Systems Online 1541-4922 © 2005
Published by the IEEE Computer Society Vol. 6, No. 4;
April 2005.
[6] Guillermito, Steganography: a few tools to discover
hidden data. Retrieved September 29, 2007,from
http://www.guillermito2.net/stegano/tools/index.html
[7] J. Kelley, Terrorist instructions hidden online.
Retrieved September 14, 2007, from
http://www.usatoday.com /tech/news/2001-02-05-
binladen-side.htm
[8] Liu Shaohui, Yao Hongxun, and Gao Wen, NEURAL
NETWORK BASED STEGANALYSIS IN STILL
IMAGES, Department of Computer Science, Harbin
Institute of Technology, ICME 2003.
[9] Niels Provos, Peter Honeyman, Hide and Seek:
Introduction to Steganography, University of Michigan,
Published by the IEEE Computer Society, 2003.
[10] N. Provos, and P. Honeyman, Detecting steganographic
content on the internet. Retrieved September 2, 2007,
from
http://www.citi.umich.edu/u/provos/papers/detecting.pd
f
[11] Samir K Bandyopadhyay, and Debnath Bhattacharyya,
A Tutorial Review on Steganography, University of
Calcutta, Senate House, 87 /1 College Street, Kolkata,
UFL & JIITU,2008.
[12] Vajiheh Sabeti; Shadrokh Samavi, Mojtaba Mahdavi
and Shahram Shirani, Steganalysis of Embedding in
Difference of Image Pixel Pairs by Neural Network,
Department of Electrical and Computer Engineering,
Isfahan University of Technology, Isfahan, Iran
McMaster University, Hamilton, Canada, January 2009,
Volume 1, Number 1 (pp. 17{26), http://www.isecure-
journal.org.

Ms. P T Anitha received B.Sc. Computer

Applications and Master of Computer
Applications degree from Bharathiar University
in 1993 and 1996 respectively. I am having
twelve years experience
in teaching. I am Pursuing Doctorate degree in
computer Science under the guidance of Dr. M. Rajaram, who is
working as a HOD in the Department of Electrical and Electronic
Engineering, Govt. College of Engineering, Trinelveli. My area of
research is Steganalysis. Currently I am working to improve the
performance of the steganalysis algorithms used in corporate E-
mails.