WIXLIB

A Security-Oriented Task Scheduler for Heterogeneous Distributed SystemsDSD ( s i ) q k 1where 0 w ik 1 , 0, if sik p kj,kk si p j , otherwisekkw ik g ( s ik , p kj ) , g ( si , p j ) q wk 1ki39(1) 1.kNote that w i is the weight of the kth security service for task Ti. Users specify intheir requests the weights to reflect relative priorities given to the required securityservices. Degree of Security Deficiency, or DSD, is defined to be a weighted sum of qdiscrepancy values between security levels requested by a task and the security levelsoffered by a site. For each task, a small DSD value means a high satisfaction degree.Zero DSD value implies that a task’s security requirements can be perfectly met. Thatis, there exists at least one site Mj in M that can satisfy the following condition: k [1, q ], s ik p jj .Let Xi be all possible schedule for task Ti, x i X i be a scheduling decision of Ti.Given a task Ti, the degree of security deficiency value (DSDV) of Ti is expected to beminimized:DSDV{DSD( x i ) minxi Xi q ( x i ) } min w ik ( g ( s ik , p k ( x i ))) xi X i k 1 (2)where p k ( x i ) p kj if the task is allocated to site j. A security-aware schedulerstrives to minimize the system’s overall DSDV value defined as the sum of the degreeof security deficiency of submitted tasks (See Equation 1). Thus, the following DSDVfunction needs to be minimized: SDSD ( x ) min DSDVx X T i T .(xi ) (3)where T is a set of submitted tasks. Substituting Equation 2 into 3 yields the followingsecurity objective function. Thus, our proposed SATS scheduling algorithm makes aneffort to schedule tasks in a way to minimize Equation 4: qSDSD ( x ) min min w ik ( f ( s ik , p k ( x i ))) .x X Ti T x i X i k 1 (4)Since the degree of security deficiency for task Ti merely reflects the securityservice satisfaction degree experienced by the task, it is inadequate to measure qualityof security for Ti during its execution. Therefore, we derive in this section theprobability P rf ( T i , M j ) that Ti remains risk-free during the course of its execution.The quality of security of a task Ti with respect to the kth security service iscalculated as exp λ k e j q c l ( s l ) where λ ik is the task's risk rate of the ij i i i l 1

40T. Xie and X. Qinkth security service, and c ijl ( s il ) is the security overhead experienced by the task onsite j. The risk rate is expressed as:λ ki 1 exp ( α (1 s ik ) ).(5)Note that this model assumes that risk rate is a function of security levels, and thedistribution of risk-free for any fixed time interval is approximated using a Poissonprobability distribution. The risk rate model is just for illustration purpose only. Thus,the model can be replaced by any risk rate model with a reasonable parameter α.The quality of security of task Ti on site Mj can be obtained below by consideringall security services provided to the task. Consequently, we have:Prf (T i , M) exp( λqjkik 1 j e i q cl 1lij ( s il ) ) exp e i j q cl 1lij q( s il ) λ ik k 1 . (6)Using equation 6, we obtain the overall quality of security of task Ti in the systemas follows,Prf (T i ) {P [xnj 1i j ] Prf (T i , M j ) } n pj 1 ij exp e i j q cl 1lij q( s il ) λ ik k 1 (7)where pij is the probability that Ti is allocated to site Mj. Given a task set T, theprobability that all tasks are free from being attacked during their executions iscomputed based on Equation 7. Thus,P rf ( T ) P rf (T i ).(8)Ti TBy substituting the risk rate model into Equation 8, we finally obtain Prf(X) asshown below:P rf ( X ) n j 1 Ti T j p ij exp e i q l 1 qc ijl ( s il ) λ ik k 1 . (9)In summary, DSD values show us security service satisfaction degrees experiencedby tasks, while risk-free probability measured by Equation 9 defines quality ofsecurity provided by a heterogeneous distributed system. In Section 5 these twometrics are used to evaluate security of distributed systems.2.3 Heterogeneity ModelThe computational weight of task Ti on site Mj (e.g., w i j ) is defined as a ratio betweenits execution time on Mj and that on the fastest site in the system. That is, we haven( )w i j e i j min e ik . The computational heterogeneity level of task Ti, referred to ask 1

A Security-Oriented Task Scheduler for Heterogeneous Distributed Systems41H iC , can be quantitatively measured by the standard deviation of the computationalweights. Formally, H iC is expressed as:H (wn1n Cij 1avgi w ij)2n , where w avg j i wi j 1n.(10)The computational heterogeneity of a task set T can be computed by1.H C H iC T Ti TThere are three types of security heterogeneities. (i) Security heterogeneity of aparticular task Ti indicates the difference of security requirements in the q securityservices requested by the task (see Equation 11). (ii) Security heterogeneity of a givensecurity service provided by each site in a distributed system reflects the discrepancyof the offered security levels of the service in the system (see Equation 12). (iii)Security heterogeneity of a particular site Mj shows the deviation of the q securitylevels provided by the site (see Equation 13).Given a task Ti and its security requirement Si ( s i1 , s i2 , , s iq ), the heterogeneityof security requirement for Ti is measured by the standard deviation of the securitylevels in the vector. Thus,HSi1q (sqj 1avgi s ij)2q , where s avg s i j i j 1n.(11)The security requirement heterogeneity of a task set T can be computed by1H S H iS . T Ti TThe heterogeneity level of the kth security service in a distributed system isdefined as:HVk1n (pni 1kavg p ik)2n , where p k p ik n . avg i 1 (12)Using Equation 12, the heterogeneity of security services can be written as1 qH V H V .q kk 1Finally, the heterogeneity level of security services in site Mj is defined to be:HMj 1q (pqk 1avgj p kj)2q, where p avg .k j p j q k 1(13)2.4 Security Overhead ModelNow we consider security overhead incurred by security services. The followingsecurity overhead model includes three services, namely, encryption, integrity, andauthentication [18]. The security overhead model can be easily extended toincorporated more security services.

42T. Xie and X. QinSuppose task Ti requires q security services, which are provided in sequentialorder. Let s ik and c ijk ( s ik ) be the security level and overhead of the kth securityservice, the security overheadcij experienced by Ti on site Mj can be computed usingEquation 14. In particular, the security overhead of Ti with security requirements forthe three services above is modelled by Equation 15.q cc ij cij k 1kij cj( s ik ) , where s i S i .kijk {a , e , g }( s ik ) , where s i j S i .(14)(15)where c ije ( s ie ) , c ijg ( s ig ) , and c ija ( s ia ) are overheads caused by the authentication,encryption, and integrity services [18]. Our security level assignment is reasonablebecause a security mechanism providing higher quality of security imposes higheroverhead than mechanisms offering lower security.The encryption overhead c ie of Ti on Mj is computed using Equation 16, whereπ ie is the CPU time spent in encrypting security sensitive data.c ije ( s ie ) π ije s ie , where s ie S i .(16)The integrity overhead can be calculated using the following equation, where li isthe amount of security sensitive data, and μ g ( s ig ) is a function mapping a securitylevel into its corresponding integrity service performance.c ijg ( s ig ) l i μ g ( s ig ) , where s ig S i .(17)The security level of a security mechanism can be quantitatively measured by theamount of cost needed to successfully break the mechanism. However, quantitativelymeasuring the security level of a security mechanism is a nontrivial research issue,and it is out of the scope of this work.3 The SATS AlgorithmFor task Ti, the earliest start time on site Mj is esj(Ti), which can be computed byEquation 18:es j (T i ) r j j e l T l W j q ck 1klj ( s lk ) (18)where rj represents the remaining overall execution time of a task currently runningon the jth site, and e j lq ck 1klj( s lk ) is the overall execution time (security overheadis factored in) of waiting task Tl assigned to site Mj prior to the arrival of Ti. Thus, theearliest start time of Tl is a sum of the remaining overall execution time of the running

A Security-Oriented Task Scheduler for Heterogeneous Distributed Systems43task and the overall execution times of the tasks with earlier arrival on site Mj.Therefore, the earliest completion time for task Ti on site Mj can be calculated as:qe c j (T i ) es j (T i ) e i j c ijk ( s ik ) r j k 1qq j e l c ljk ( s lk ) e ij c ijk ( s ik )k 1Tl W j k 1 (19)1.for each task Ti submitted to the schedule queue do2. for each site Mj in the system do3.Use Eq.18 to compute esj(Ti), the earliest start time of Ti on site Mj;4.Use Eq.19 to compute ecj(Ti), the earliest completion time of Ti on Mj;5. end for6. Sort all sites in earliest completion time in a non-decrease order7. for each site in the security-adaptive window do8.Use Eq.1 to compute DSD ( si ) /* Compute DSD for each site*/9. end for10. Select the site Mr that can offer the smallest DSD value and assign Ti on it11. Update site Mr’s earliest available time esj12. Use Eq.6 to compute risk-free probability for task Ti13. Record start time and completion time for task Ti14.end forFig. 2. The SATS algorithmThe SATS algorithm is outlined in Figure 2. The goal of the algorithm is to deliveroptimal quality of security while maintaining high performance for tasks running onheterogeneous systems. To achieve the goal, SATS manages to minimize degree ofsecurity deficiency (see Equation 1) of each task (see Step 10 in Fig. 2) withoutperformance deterioration. Before optimizing the degree of security deficiency of taskTi, SATS sorts all the sites in a non-decrease order in Ti’s total execution time basedon the information retrieved from the execution time manager and the securityoverhead manager (see Figure 1). Step 7 computes the degree of security deficienciesfor the task on each site in the light of the security deficiency calculator. Combiningthe input from the security-adaptive window controller, the task allocation decisionmaker decides a site to which the task is allocated.4 SimulationsUsing extensive simulation experiments based on San Diego Supercomputer Center(SDSC) SP2 log, we evaluate in this section the potential benefits of the SATSalgorithm. The real trace was sampled on a 128-node (66MHz) IBM SP2 from May1998 through April 2000. To simplify our experiments, we utilized the first threemonths data with 6400 parallel tasks in simulation. Since the trace was sampled froma homogenous environment, to reflect the heterogeneity of the simulated distributedsystem, we translated the “execution time” of each task from a single value to a vectorwith n (number of sites) elements based on the heterogeneity model described inSection 2.3. In purpose of revealing the strength of SATS, we compared it with twowell-known scheduling algorithms, namely, Min-Min and Sufferage [14]. Min-Minand Sufferage are non-preemptive task scheduling algorithms, which schedule a

44T. Xie and X. Qinstream of independent tasks onto a heterogeneous distributed computing system. Thetwo algorithms are briefly described below.(1) MINMIN: For each submitted task, the site that offers the earliest completion timeis tagged. Among all the mapped tasks, the one that has the minimal earliestcompletion time is chosen and then allocate to the tagged site.(2) SUFFERAGE: Allocating a site to a submitted task that would “suffer” most interms of completion time if that site is not allocated to it.Table 1. Characteristics of system parametersParameterValue (Fixed) - (Varied)Number of tasks(6400)Number of sitesTask arrival rate(16) – (8, 16, 32,64,128)Decided by the traceSize of security-adaptive windowSite security level (uniform dist.)Task security level (uniform dist.)(8) – (1, 2, 4, 8, 16)(0.1 – 1.0)(0.1 – 1.0)Authentication 0.2, Encryption 0.5, Integrity 0.3Weights of security services4.1 Simulator and Simulation ParametersThe parameters of sites in the simulated distributed system are chosen to resemblereal-world workstations like IBM SP2 nodes. Table 1 summarizes the key configuration parameters of the simulated distributed system used in our experiments.We modified the trace by adding a block of data to be secured for each task in thetrace. The size of the security-required data assigned to each task is controlled by auniform distribution (see Table 1). Although “task number”, “submit time”, and“execution time” of tasks submitted to the system are taken directly from the trace,“size of data to be secured”, “number of sites”, “computational heterogeneity”, and“security heterogeneity” are synthetically generated in accordance with the abovemodel since they are not available in the trace. The performance metrics we usedinclude: risk-free probability (see Equation 9), degree of security deficiency (seeEquation 1), site utilization (defined as the percentage of total task running time out oftotal available time of a given site), makespan (the latest task completion time in thetask set), average response time (the response time of a task is the time periodbetween the task’s arrival and its completion and the average response time is theaverage value of all tasks’ response time), slowdown ratio (the slowdown of a task isthe ratio of the task’s response time to its service time and the slowdown ratio is theaverage value of all tasks’ slowdowns).4.2 Overall Performance ComparisonsThe goal of this experiment is two fold: (1) to compare the proposed SATS algorithmagainst the two heuristics, and (2) to understand the sensitivity of SATS to the size ofsecurity-adaptive window.

A Security-Oriented Task Scheduler for Heterogeneous Distributed Systems(a) Risk-free probability(d) Makespan(b) Degree of security deficiency(e) Average response time45(c) Site utilization(f) Slowdown ratioFig. 3. Performance impact of size of security-adaptive windowFigure 3 shows the simulation results for the three algorithms on a distributedsystem with 16 sites. Since MINMIN and SUFFERAGE do not have a securityadaptive window, their performance in all six metrics keeps constant. We observefrom Figure 3a that SATS significantly outperforms the two heuristics in terms ofrisk-free probability, whereas MINMIN and SUFFERAGE algorithms exhibit similarperformance.5 Summary and Future WorkIn this paper, we considered the security requirements of applications in the contextof task scheduling in heterogeneous distributed systems because an increasing numberof applications running on heterogeneous distributed systems requires not onlydescent scheduling performance but also high quality of security. To solve thisproblem, we proposed a security-adaptive scheduling heuristic that is based onthe concept of security heterogeneity. Experimental results demonstrate that ourstrategy outperforms existing approaches in both security and performance. In futureresearch, the heuristic will be extended to schedule parallel applications.

46T. Xie and X. QinReferences1. Arpaci-Dusseau, A.C.: Implicit Coscheduling: Coordinated Scheduling with ImplicitInformation in Distributed Systems. ACM Trans. on Computer Systems, Vol.19, No.3,(2001) 283-3312. Braun , T. D. et al.: A Comparison Study of Static Mapping Heuristics for a Class ofMeta-tasks on Heterogeneous Computing Systems. Proc. Workshop HeterogeneousComputing, (1999) 15-293. Casavant, T.L, Kuhl, J.G.: A Taxonomy of Scheduling in General-purpose DistributedComputing Systems. IEEE Trans. Software Engineering, Vol.14, No.2, (1988) 141-1544. Connelly, K., Chien, A.A.: Breaking the barriers: high performance security for highperformance computing. Proc. Work-shop on New security paradigms, Sept. (2002)5. Dogan, A., Özgüner, F.: Reliable matching and scheduling of precedence-constrained tasksin heterogeneous distributed computing. Proc. Int’l Conf. Parallel Processing, (2000)307-3146. Dogan, A., Özgüner, F.: LDBS: A Duplication Based Scheduling Algorithm forHeterogeneous Computing Systems. Proc. Int’l Conf. Parallel Processing, (2002) 352-3597. Donoho, G.: Building a Web Service to Provide Real-Time Stock Quotes. MCAD.Net,Feb. (2004)8. Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems:Theory and practice. ACM Trans. Computer Systems, Vol.10, No.4, Nov. (1992) 265-3109. Peng, D.-T., Shin, K.G.: Optimal scheduling of cooperative tasks in a distributed systemusing an enumerative method. IEEE Trans. Software Engineering, Vol.19, No.3, Mar.(1993) 253-26710. Petrini F., Feng, W.-C.: Scheduling with Global Information in Distributed Systems. Proc.20th Int’l Conf. Distributed Computing Systems, April (2000) 225 – 23211. Ranaweera, S., Agrawal, D.P.: Scheduling of Periodic Time Critical Applications forPipelined Execution on Heterogeneous Systems. Proc. Int’l Conf. Parallel Processing,Sept. (2001) 131-13812. Sandhu, R.S. et al.: Role-Based Access Control Models. IEEE Computer, Vol.29,No.2,(1996) 38-4713. Son, S.H., Mukkamala, R., David, R.: Integrating security and real-time requirementsusing covert channel capacity. IEEE Trans. Knowledge and Data Engineering. Vol.12,No.6, (2000) 865 – 87914. Song, S., Kwok, Y.-K., Hwang, K.: Trusted Job Scheduling in Open Computational Grids:Security-Driven Heuristics and A Fast Genetic Algorithms. Proc. Int’l Symp. Parallel andDistributed Processing, (2005)15. Srinivasn, S., Jha, N.K.: Safety and Reliability Driven Task Allocation in DistributedSystems. IEEE Trans. Parallel and Distributed Systems, Vol.10, No.3, Mar. (1999) 238-25116. Topcuoglu, H., Hariri, S., Wu, M.-Y.: Performance-effective and Low-complexity TaskScheduling for Heterogeneous Computing. IEEE Trans. Parallel and Distributed Sys.,Vol.13, No.3, Mar. (2002)17. VeriSign Corp.: Simplifying Application and Web Services Security - VeriSign TrustGateway. (2003)18. Xie, T., Qin, X.: Scheduling Security-Critical

security overhead for each arrival task on each site is a prior, and this information is maintained in the security overhead manager module. The DSD calculator is used to calculate discrepancies between an arrival task's security level requirements and the security levels that each site offers. The function of security-adaptive window