Dynamic CPU provisioning for self-managed secure web ...personals.ac.upc.edu/jguitart/HomepageFiles/COMNET08.pdfDynamic CPU provisioning for self-managed secure web applications in

Available online at www.sciencedirect.com

Computer Networks 52 (2008) 1390–1409

www.elsevier.com/locate/comnet

Dynamic CPU provisioning for self-managed secureweb applications in SMP hosting platforms

Jordi Guitart *, David Carrera, Vicenc� Beltran, Jordi Torres, Eduard Ayguade

Barcelona Supercomputing Center (BSC), Computer Architecture Department, Technical University of Catalonia,

C/ Jordi Girona 1-3, Campus Nord UPC, Modul C6, E-08034 Barcelona, Spain

Received 14 March 2007; received in revised form 3 December 2007; accepted 8 December 2007Available online 1 February 2008

Responsible Editor: C. Westphal

Abstract

Overload control mechanisms such as admission control and connection differentiation have proven effective for pre-venting overload of application servers running secure web applications. However, achieving optimal results in overloadprevention is only possible when some kind of resource management is considered in addition to these mechanisms.

In this paper we propose an overload control strategy for secure web applications that brings together dynamic provi-sioning of platform resources and admission control based on secure socket layer (SSL) connection differentiation.Dynamic provisioning enables additional resources to be allocated to an application on demand to handle workloadincreases, while the admission control mechanism avoids the server’s performance degradation by dynamically limitingthe number of new SSL connections accepted and preferentially serving resumed SSL connections (to maximize perfor-mance on session-based environments) while additional resources are being provisioned.

Our evaluation demonstrates the benefit of our proposal for efficiently managing the resources and preventing serveroverload on a 4-way multiprocessor Linux hosting platform, especially when the hosting platform is fully overloaded.� 2008 Elsevier B.V. All rights reserved.

Keywords: Internet servers; Dynamic resource provisioning; Self-adaptation; Overload prevention; Admission control; Connection diff-erentiation; Security

1. Introduction

In recent times, e-commerce applications havebecome commonplace in current web sites. In these

1389-1286/$ - see front matter � 2008 Elsevier B.V. All rights reserved

doi:10.1016/j.comnet.2007.12.009

* Corresponding author. Tel.: +34 93 405 40 47; fax: +34 93401 70 55.

E-mail addresses: [email protected] (J. Guitart), [email protected] (D. Carrera), [email protected] (V. Beltran),[email protected] (J. Torres), [email protected] (E. Ayguade).

applications, all the information that is confidentialor has market value must be carefully protectedwhen transmitted over the open Internet. Securitybetween network nodes over the Internet is tradi-tionally provided using HTTPS [1]. With HTTPS,which is based on using HTTP over SSL (securesocket layer [2]), you can perform mutual authenti-cation of both the sender and receiver of messagesand ensure message confidentiality. Although pro-viding these security capabilities does not introduce

.

mailto:[email protected]






J. Guitart et al. / Computer Networks 52 (2008) 1390–1409 1391

a new degree of complexity in web applicationsstructure, it increases remarkably the computationtime needed to serve a connection, due to the useof cryptographic techniques, becoming a CPU-intensive workload.

At the same time, current sites are subject toenormous variations in demand, often in an unpre-dictable fashion, including flash crowds that cannotbe easily processed. For this reason, the servers thathost the sites can encounter situations with a largenumber of concurrent clients. Dealing with these sit-uations and/or with workloads that demand highcomputational power (for instance secure work-loads) can lead a server to overload (i.e. the volumeof requests for content at a site temporarily exceedsthe capacity for serving it and renders the site unus-able). During overload conditions, the responsetimes may grow to unacceptable levels, and exhaus-tion of resources may cause the server to behaveerratically or even crash, causing denial of services.In e-commerce applications, which are heavily reli-ant on security, such server behavior could translateto sizable revenue loss.

Overload prevention is a critical goal so that asystem can remain operational in the presence ofoverload even when the incoming request rate isseveral times greater than the system’s capacity.At the same time it should be able to serve the max-imum number of requests during such overload,while maintaining the response times at acceptablelevels.

Additionally, in many web sites, especially in e-commerce, most of the applications are session-based. A session contains temporally and logicallyrelated request sequences from the same client. Ses-sion integrity is a critical metric in e-commerce. Foran online retailer, the higher the number of sessionscompleted, the higher the amount of revenue that islikely to be generated. The same statement cannotbe made about individual request completions. Ses-sions that are broken or delayed at some criticalstages, like checkout and shipping, could mean lossof revenue to the web site. Sessions have distinguish-able features from individual requests that compli-cate the overload control. For this reason, simpleadmission control techniques that work on a perrequest basis, such as limiting the number of threadsin the server or suspending the listener thread dur-ing overload periods, may lead to a large numberof broken or incomplete sessions when the systemis overloaded (despite the fact that they can helpto prevent server overload).

Taking into account these considerations, severaltechniques have been proposed to deal with over-load, such as admission control, request scheduling,service differentiation, service degradation, andresource management. All of them have proven tobe effective at preventing overload to a certainextend. For instance, in our previous work [3], wehave demonstrated the benefit of using admissioncontrol based on SSL connection differentiation toprevent the overload of application servers runningsecure web applications. However, our followingresearch indicates that some kind of dynamicresource management must be considered in addi-tion to admission control for achieving optimalresults in overload prevention. The reasoning forthis is two fold.

Firstly, due to the variability of web workloads,it is desirable that web applications are able toincrease their capacity dynamically by allocatingmore resources in order to deal with extreme over-loads. Secondly, web applications typically run onhosting platforms that rent their resources to them.Application owners pay for platform resources, andin return, the application is provided with guaran-tees on resource availability and QoS. The hostingplatform is responsible for providing sufficientresources to each application to meet its workload,or at least to satisfy the agreed QoS. Previous liter-ature [4–6] has demonstrated that this is betteraccomplished by dynamically reallocating resourcesamong hosted applications according to the varia-tions in their workloads instead of statically over-provisioning resources. In this way, better resourceutilization can be achieved and the system can reactto unexpected workload increases.

According to this, in this paper, we propose aglobal overload control strategy for secure webapplications that brings together admission controlbased on SSL connection differentiation anddynamic provisioning of platform resources in orderto adapt to changing workloads while avoiding theQoS degradation. We have implemented a globalresource manager for a Linux hosting platform thatdistributes the available resources among the appli-cation servers running on it. These servers incorpo-rate self-management facilities that adapt theaccepted load to the assigned resources by usingan admission control mechanism. All the processis transparent to the final user. Although our imple-mentation targets the Tomcat [7] application server,the proposed overload control strategy can beapplied on any other server.

1392 J. Guitart et al. / Computer Networks 52 (2008) 1390–1409

The rest of the paper is organized as follows: Sec-tion 2 presents some experiments for motivating ourwork. Section 3 details the implementation of thedifferent components of our overload control strat-egy. Section 4 describes the experimental environ-ment used in our evaluation. Section 5 presentsthe evaluation results of our overload control strat-egy. Section 6 describes the related work and finally,Section 7 presents the conclusions of this paper.

2. Motivation and contributions

2.1. Motivating experiments

In this section, we will justify the convenience ofintegrating dynamic resource provisioning withadmission control using two experiments, whichconsist of the execution of two application servers(Tomcat 1 and Tomcat 2) running secure web appli-cations for 90 minutes in a 4-way Linux hostingplatform. In the first experiment, two processorsare statically assigned to each server. In the secondone, there is not any static allocation of processors.In this case, the default Linux scheduler is responsi-ble for dynamically distributing the available pro-

Fig. 1. Incoming workload (top) and achieved throughput of two Tomand static resource provisioning (middle) and Linux default dynamic r

cessors between the two servers according to itsscheduling policy. In both cases, the admission con-trol mechanism described in [3] is used.

Fig. 1 shows the results obtained for these twoexperiments. Each application server has a variableinput load over time, which is shown in the top partof the figure representing the number of new ses-sions per second initiated with the server as a func-tion of the time (in seconds). The figure also showsthe throughput achieved by each server as a func-tion of the time when running with static processorallocation (middle) and with dynamic processorallocation (bottom), in a way that can be easily cor-related with the input load.

These experiments confirm that dynamic resourceprovisioning allows exploiting the resources moreefficiently. For example, as shown in Fig. 1 in thezone labeled B (between 1800 s and 2400 s), Tomcat

1 achieves higher throughput with dynamic provi-sioning (bottom) rather than with static one (middle)(150 vs. 110 replies/s), while Tomcat 2 achieves thesame throughput in both cases. This occurs becausewhen using static resource provisioning Tomcat 1 isunder-provisioned (it has less processors allocatedthan needed to handle its incoming workload) while

cat instances in a 4-way hosting platform with admission controlesource provisioning (bottom).


Tomcat 2 is over-provisioned (it has more processorsallocated than needed to handle its incoming work-load), denoting an inefficient processor distribution.On the other side, using dynamic resource provision-ing allows the processors not used by Tomcat 2 to beused by Tomcat 1.

As commented before, in these motivation exper-iments we use the admission control mechanismproposed in [3] to avoid the throughput degradationoccurred when secure web applications are under-provisioned, as described in [8]. This mechanismlimits the accepted load for each server so that itcan be handled with the processors assigned to thatserver. When using static resource provisioning, theservers can easily determine the number of proces-sors that they have allocated, because this is a fixednumber (e.g. two in our experiment). However,when using dynamic resource provisioning, the serv-ers cannot accurately apply the admission controlmechanism because they do not have informationabout the number of processors assigned to themin a given moment (this number varies over time).In this case, the admission control mechanismbecomes useless, neutralizing its benefit in prevent-ing the throughput degradation occurred when

LINUX

eDRAGOCPU

MANAGE(ECM)

CO

NN

EC

TO

R

eDRAGON LOAD MONITOR (ELM)

eDRAGON ADM. CONTROL (EAC)

TOMCAT i

Ri

Ai

LOAD

PROCESSO

Fig. 2. Global overload

secure web applications are under-provisioned. Thiseffect can be appreciated in the zone labeled E

(between 4200 s and 4800 s) of Fig. 1. In this zone,static provisioning (middle) allows both servers toachieve considerably higher throughput thandynamic provisioning (bottom) (110 vs. 55 replies/s).

From these experiments, we can conclude that, inorder to manage the resources efficiently and pre-vent web applications overload in hosting platformswhere applications compete for the availableresources, we must design a global strategy involv-ing an accurate collaboration between dynamicresource provisioning and admission controlmechanisms.

2.2. Contributions

In this paper, we propose a novel global overloadcontrol strategy for secure web applications thatbrings together admission control based on SSLconnection differentiation and dynamic provision-ing of platform resources in order to adapt tochanging workloads avoiding the QoS degradation.Dynamic provisioning enables additional resources

N

R

CO

NN

EC

TO

ReDRAGON ADM. CONTROL (EAC)

eDRAGON LOAD MONITOR (ELM)

TOMCAT j

j

Aj

LOAD

RS

R

control strategy.


to be allocated to an application on demand to han-dle workload increases, while the admission controlmechanism maintains the QoS of admitted requestsby turning away excess requests and preferentiallyserving preferred clients (to maximize the generatedrevenue) while additional resources are beingprovisioned.

Fig. 2 shows a diagram describing our overloadcontrol strategy. It is based on a global processor man-ager, called eDragon CPU Manager (ECM), responsi-ble for periodically distributing the available resources(i.e. processors1) among the different applications run-ning in a hosting platform applying a given policy(which can consider e-business indicators).

Our approach includes enabling self-managementcapabilities on the applications, allowing them tocooperate with the ECM to efficiently manage theprocessors and prevent the applications overloading.This cooperation includes bi-directional communi-cation. On one side, the applications periodicallyrequest from the ECM the number of processorsneeded to handle their incoming load while avoidingdegradation of the QoS. We define the number ofprocessors requested by application i as Ri. On theother side, the ECM can be requested at any timeby the applications to inform them about their pro-cessor assignments. We define the number of proces-sors allocated to application i as Ai.

Given the number of processors assigned tothem, the applications can apply an admission con-trol mechanism to limit the number of admittedrequests; accepting only those that can be servedwith the allocated processors without degradingtheir QoS. The admission control mechanism isbased on SSL connection differentiation dependingon if the SSL connection reuses an existing SSL con-nection on the server or not. Prioritizing resumedSSL connections maximizes the number of sessionssuccessfully completed, allowing e-commerce sitesbased on SSL to increase the number of transactionscompleted, and thereby generating more revenue.

3. Overload control strategy

3.1. eDragon CPU Manager

The eDragon CPU Manager (ECM) is responsi-ble for the distribution of processors among appli-

1 Since we focus on secure workloads, which are CPU-intensive, our resource provisioning strategy only considersprocessors.

cations in the hosting platform. The ECM isimplemented as a user-level process that periodicallywakes up at a fixed time quantum, defined as kECM

and with a value of 2 s in the current prototype,examines the current requests of the applicationsand distributes processors according to a schedulingpolicy. Using a user-level process avoids the directmodification of the native kernel in order to showthe usefulness of the proposed environment.

The choice of a particular time quantum dependson the desired responsiveness from the system. Wehave chosen a small value in order to achieve a sys-tem that is able to react to unexpected workloadchanges in a very short time. Values in the sameorder of magnitude as current kECM will provide sim-ilar performance results and system responsiveness.

The communication between the ECM and theapplications is implemented using a shared memoryregion. We have defined a new Java class, whichcontains the following Java methods for calling,through the Java Native Interface (JNI) [9], theECM services for requesting and consultingprocessors:

� cpus_assigned(): returns the current numberof processors allocated to the calling application iðAiÞ.� cpus_request(num): the calling application i

requests to the ECM num processors ðRiÞ.

3.1.1. ECM scheduling policy

Traditionally, resource allocation policies haveconsidered conventional performance metrics suchas the response time, throughput, and availability.However, the metrics that are of utmost importanceto the management of an e-commerce site are reve-nue and profits and should be incorporated whendesigning policies [10]. For this reason, the ECMcan implement policies which consider conventionalperformance metrics as well as incorporating e-busi-ness indicators.

As an example, we have implemented a simplebut effective policy in order to demonstrate the effi-ciency of our overload prevention strategy. Policiesthat are more complex (see Related Work) can beincorporated to the ECM, though the ECM doesnot offer a user interface to update the policy atthe moment. Nevertheless, the code of the ECMhas been developed with this possibility in mind,and for this reason, the implementation of thesample policy is encapsulated within a single func-tion. According to this, changing the policy should


be as easy as replacing this function with a new oneimplementing the desired policy.

Our sample policy considers an e-business indica-tor in the form of customers of different priority clas-ses (such as Gold, Silver, or Bronze). The priorityclass P i indicates a customer domain’s priority inrelation to other customer domains. It is expectedthat high priority customers will receive preferentialservice with respect to low priority customers. In ourpolicy, at every sampling interval kECM, each applica-tion i receives a number of processors ðAiðkECMÞÞthat is proportional to its request ðRiðkECMÞÞ and tothe application’s priority class ðP iÞ according to thefollowing equation, where NCpus is the number ofprocessors in the hosting platform:

AiðkECMÞ ¼ RoundP i � RiðkECMÞ �NCpusPN

j¼1P j � RjðkECMÞ

" #: ð1Þ

The scheduling policy should also allow the highestresource utilization to be achieved in the hostingplatform. Our proposal to accomplish this withthe ECM is based on sharing processors amongthe applications under certain conditions (minimiz-ing the impact on application isolation). The currentpolicy will decide to share a processor from applica-tion i to application j if the processor distributionpolicy has assigned application i all the processorsit requested and the number of processors assignedto application j is lower than the number it re-quested. Notice that, in this situation, it is possiblethat a fraction of a processor allocated to applica-tion i is not used, for example, if application i needs2.5 processors, its processor request ðRiÞ will be 3. Ifthe ECM allocates 3 processors to application i, 0.5of a processor may be not used. With the processorsharing mechanism, this fraction can be utilized bythe application j.

The current ECM implementation only considerssharing a processor between two applications with0.5 processor granularity. In our opinion, this isenough to show that processor sharing can be anoption to achieve good resource utilization in thehosting platform. However, we are working on afiner granularity implementation in which both theprocessor requests from the applications and theprocessor assignments decided by the ECM con-sider fractional utilization of the processors.

The processor sharing mechanism can also con-sider e-business indicators, such as the application’spriority class. As an example, we have also modifiedthe ECM policy in order to benefit high priority

applications with respect to low priority applica-tions when sharing processors. With this modifica-tion, a processor can only be shared from lowpriority applications to high priority applications,but not the other way around. This allows high pri-ority applications to achieve higher throughput, butresource utilization in the hosting platform may beworse. Detailed results obtained with this modifica-tion can be found in the evaluation (see the thirdmultiprogrammed experiment in Section 5.2).

Additionally, the ECM performs the completeaccounting of all the resource allocations decided.This feature is very valuable in hosting platformsthat earn money from applications depending ontheir resource usage, because in this case hostingplatforms need to know exactly how many resourceshave been used by each application.

3.1.2. Application isolation

The ECM aims to minimize the interferencesbetween applications by providing application isola-tion, that is, given a resource distribution amongapplications, an application always achieves thesame performance with that resource allocationirrespective of the load on other applications. Thisis an important issue in shared hosting platforms,because a malicious or overloaded application couldgrab more than its allocated resources, affecting theperformance of other applications.

Our proposal provides application isolation bylimiting the resources consumed by each applicationto its reserved amount. This is accomplished in twocomplementary ways. First, we consider self-man-aged applications, which are able to use the admis-sion control mechanism for limiting their acceptedload so that it can be handled with their assigned pro-cessors. Second, in order to prevent the possibilitythat any application can affect the performance ofthe other applications because it does not use theadmission control mechanism, the ECM not onlydecides how many processors to assign to each appli-cation but also which processors. In order to accom-plish this, the ECM configures the CPU affinity maskof each application (using the Linux sched_setaffinity function) so that the processor allo-cations of the different applications do not overlap(except when applications share a processor).

3.2. Application components

Our overload control approach includes add-ing self-managing capabilities to the applications

ELM

EAC

Ri

Ai

incomingconnections

ECM

SSL DIFF

refusedconnections

acceptedconnections

new/resumed

Ôi

new/resumed

Fig. 3. Components interaction in our control strategy.


running in a hosting platform with ECM. First, theapplications must be able to determine the numberof processors they need to handle their incomingworkload while avoiding QoS degradation, that isRi, and provide this value to the ECM. Our pro-posal achieves this capability by adding a new com-ponent, called the eDragon Load Monitor (ELM),within the server that runs each web application(see Fig. 2). Second, the applications must be ableto adapt their behavior according to the resourcesprovided by the ECM in order to prevent overloadand in this way maintain the QoS of admittedrequests. This is accomplished by adding anothercomponent, called the eDragon Admission Control(EAC), within the server that runs each web applica-tion (see Fig. 2).

Notice that, although we have modified the ser-ver that runs the applications (not the web applica-tions), this is only as a proof-of-concept fordemonstrating the feasibility of our proposal. In aproduction system, the proposed functionality couldbe easily implemented in a proxy, and in this wayavoiding modifying the applications.

Both the ELM and the EAC are active compo-nents that continuously monitor the incoming SSLconnections reaching the server. The ELM usesthe monitored information to estimate the resourcerequirements of the application. The EAC is respon-sible for deciding on the acceptance of the incomingSSL connections depending on the allocatedresources. Every sampling interval, the ELM andthe EAC communicate with the ECM in order toupdate the resource provisioning depending on thecurrent application workload. If desired, the ELMand the EAC can use a different sampling intervalfrom the ECM. We define this value as kAPL. How-ever, in the current implementation kECM and kAPL

have the same value (i.e. 2 s).As shown in Fig. 3, both the ELM and the EAC

are based on the differentiation between new andresumed SSL connections, which is performed withthe differentiation mechanism described in [3].When a client establishes a new SSL connectionwith the server, a full SSL handshake is negotiated,including parts that need a great amount of compu-tation time. On the other hand, when a client estab-lishes a new HTTP connection with the server butusing an existing SSL connection (it resumes aSSL connection), a SSL resumed handshake is nego-tiated. As the SSL session ID is reused, part of theSSL handshake negotiation can be avoided, consid-erably reducing the computation time for perform-

ing a resumed SSL handshake. Our measurementsin a 1.4 GHz Xeon machine reveal that the compu-tational demands of a full SSL handshake and aresumed SSL handshake are around 175 and 2 ms,respectively. Notice the big difference existingbetween both types of handshake.

3.2.1. eDragon load monitor (ELM)

The ELM continuously monitors the incomingsecure connections to the server and performsonline measurements distinguishing new SSL con-nections from resumed SSL connections. For everysampling interval kAPL, the ELM calculates thenumber of resumed SSL connections (defined asOiðkAPLÞ) and the number of new SSL connections(defined as NiðkAPLÞ) received at application i duringthat interval. These measurements consider not onlythe accepted connections but all the connectionsreceived.

The average computation time entailed by aresumed SSL connection (defined as CTOi) andthe average computation time entailed by a newSSL connection (defined as CTNi) have been mea-sured using static profiling on the application. Eachmeasurement includes not only the average compu-tation time spent in the negotiation of the SSLhandshake, but also the average computation timespent for generating all the dynamic web contentrequested using that connection and the averagecomputation time spent for SSL encryption/decryp-tion during the data transferring phase.

Using the previously defined values, at the begin-ning of every sampling interval kAPL the ELM calcu-lates RiðkAPLÞ, which is the number of processorsthat the application i will need to handle its incom-ing workload during the interval (kAPL). Then, itinforms the ECM using the cpus_request func-tion from the communication path between the


applications and the ECM (as shown in Fig. 3). Thecomplete equation is as follows:

RiðkAPLÞ ¼bOiðkAPLÞ � CTOi þ bN iðkAPLÞ � CTNi

kAPL

& ’:

ð2Þ

Notice that RiðkAPLÞ depends on predicting the num-ber of new and resumed SSL connections that willhit the server during the sampling interval kAPL.The ELM predicts these values from previous obser-vations using an exponentially weighted movingaverage (EWMA) with parameter a ¼ 0:7, in orderto prevent sudden spikes in the sample from causinglarge reactions in the prediction. The completeequations are as follows:bOiðkAPLÞ ¼ a� OiðkAPL � 1Þ þ ð1� aÞ

� bOiðkAPL � 1Þ; kAPL P 3;bOiðkAPLÞ ¼ OiðkAPL � 1Þ; kAPL ¼ 2; ð3ÞbN iðkAPLÞ ¼ a� N iðkAPL � 1Þ þ ð1� aÞ� bN iðkAPL � 1Þ; kAPL P 3;bN iðkAPLÞ ¼ N iðkAPL � 1Þ; kAPL ¼ 2: ð4Þ

3.2.2. eDragon admission control (EAC)

The EAC extends the session-oriented adaptivemechanism described in [3] which performs admis-sion control based on SSL connection differentia-tion. This mechanism prevents applicationsoverload by limiting the acceptation of new SSLconnections to the maximum number acceptableby the application without overloading. In addition,it accepts all the client connections that resume anexisting SSL session, in order to increase the proba-bility for a client to complete a session, and in thisway maximizing the number of sessions successfullycompleted.

The EAC extends the original mechanism by per-forming admission control when the number of pro-cessors assigned to the server varies along time. Inaddition, the EAC improves the mechanism func-tioning by using EWMA to make the predictions.

The EAC uses the measurements of incomingSSL connections performed by the ELM to calcu-late, at the beginning of every sampling intervalkAPL, the maximum number of new SSL connectionsthat can be accepted by application i during thatinterval without overloading. We define this valueas ANiðkAPLÞ. This value depends on the number

of processors allocated by the ECM to the applica-tion during the interval kAPL (previously defined asAiðkAPLÞ), which can be requested from the ECMusing the cpus_assigned function from the com-munication path between the applications and theECM.

In addition, as resumed SSL connections havepreference with respect to new SSL connections(all resumed SSL connections are accepted),ANiðkAPLÞ depends also on the computation timerequired by the resumed SSL connections that willbe accepted during the interval kAPL. This valuecan be calculated as bOiðkAPLÞ � CTOi, using thevalue of bOiðkAPLÞ predicted by the ELM throughEWMA (as shown in Fig. 3). According to this,the complete equation for calculating ANiðkAPLÞ isas follows:

ANiðkAPLÞ ¼kAPL � AiðkAPLÞ � bOiðkAPLÞ �CTOi

CTNi

$ %:

ð5Þ

The EAC will only accept the maximum number ofnew SSL connections that do not overload the ser-ver ðANiðkAPLÞÞ (they can be served with the avail-able computational capacity without degradingtheir QoS). The rest of the new SSL connectionsarriving at the server will be refused. Notice that,although connection classification and rejection isdone at the application level, these tasks are per-formed prior to any handling of the incoming con-nection, even prior to the negotiation of the SSLhandshake. For this reason, the related rejectionoverhead is not noticeable.

4. Experimental environment

We use Tomcat v5.0.19 [7] as the application ser-ver. Tomcat is an open-source servlet containerdeveloped under the Apache license. Its primarygoal is to serve as a reference implementation ofthe Sun Servlet and JSP specifications. Tomcatcan work as a standalone server (serving both staticand dynamic web content) or as a helper for a webserver (serving only dynamic web content). In thispaper we use Tomcat as a standalone server. Wehave configured Tomcat setting the maximum num-ber of HttpProcessors to 100 and the connectionpersistence timeout to 10 s.

The experimental environment also includes adeployment of the servlets version 1.4.2 of theRUBiS (Rice University Bidding System) [11]


benchmark on Tomcat. RUBiS implements the corefunctionality of an auction site: selling, browsingand bidding. We decided to use RUBiS since itmodels a prototypical e-commerce application.However, since our overload control proposal is ori-ented to secure environments, in order to demon-strate its effectiveness, we need to modify theoriginal implementation of RUBiS to use secureconnections. We firmly believe that, thought weare not using a benchmark in its strict meaning,the results demonstrating that our approach is ableto deal with overload are still valid. RUBiS defines26 interactions. Five of the 26 interactions areimplemented using static HTML pages. Theremaining 21 interactions require data to be gener-ated dynamically.

The client workload for the experiments was gen-erated using a workload generator and web perfor-mance measurement tool called Httperf [12]. Thistool allows the creation of a continuous flow ofHTTP or HTTPS requests issued from one or moreclient machines and processed by one servermachine. The workload distribution generated byHttperf was extracted from the RUBiS client emula-tor. RUBiS client emulator defines two workloadmixes: a browsing mix made up of only read-onlyinteractions and a bidding mix that includes 15%read–write interactions. The experiments in thispaper use the bidding mix, which is more represen-tative of an auction site workload.

Although the RUBiS client emulator follows aclosed system model, the combination of Httperfwith a RUBiS workload allows the use of apartly-open model (as defined in [13]), which is amore realistic alternative to represent web applica-tions behavior. In this model, new clients initiate asession with the server (implemented as a persistentHTTPS connection) according to a certain arrivalrate. This rate can be specified as one of the param-eters of Httperf. Emulated clients use the estab-lished persistent connection to issue RUBiSinteractions to the server.

Every time a client receives the server response toan interaction, there is a probability p that the clientsimply leaves the system, and there is a probability1-p that the client remains in the system and makesanother interaction, possibly after some think time.The think time emulates the”thinking” period of areal client who takes a period of time before clickingon the next link. The think time is generated from anegative exponential distribution with a mean of 7 s.The next interaction in the session is decided using a

Markov model. This model uses a transition proba-bility matrix with probabilities attached to transi-tions from each RUBiS interaction to the others.In particular, this matrix defines for each interactionthe probability of ending the session (i.e. p), which is0.2 for 10 of the 26 interactions and 0 for the rest.This value determines the duration of a RUBiS ses-sion, which is 50 interactions per session on average(with a maximum of 100 interactions per session). Inaddition, each interaction includes a request to theserver of all the images embedded in the HTMLpage returned as a response to the interaction (1,4images per interaction on average). Consideringthis, we measure the server throughput as the num-ber of HTTP replies per second returned by the ser-ver to the client’s interactions (including the imagesrequested).

Httperf also allows the configuring of a client’stimeout. If this timeout is elapsed and no replyhas been received from the server, the current persis-tent connection with the server is discarded. Thisemulates the fact that the real client can get boredof waiting for a response from the server and leavethe site. For the experiments in this paper, Httperfhas been configured by setting the client timeoutvalue to 10 s.

The hosting platform is a 4-way Intel XEON1.4 GHz with 2 GB RAM. We use MySQLv4.0.18 [14] as our database server with theMM.MySQL v3.0.8 JDBC driver. The MySQL ser-ver runs on another machine, which is a 2-way IntelXEON 2.4 GHz with 2 GB RAM. We also have a 2-way Intel XEON 3.0 GHz with 2 GB RAMmachine running the workload generator (Httperf0.8.5). All the machines are connected through a1 Gbps Ethernet interface and run the 2.6 Linuxkernel. For our experiments, we use the Sun JVM1.4.2 for Linux, using the server JVM instead ofthe client JVM, using the concurrent low pause col-lector and setting the initial and the maximum Javaheap size to 1024 MB. All the tests are performedwith the common RSA-3DES-SHA cipher suit,using 1024 bit RSA key.

5. Evaluation

In this section we present the evaluation of theresults of our proposal divided into two parts. First,we evaluate the effectiveness of the self-managedTomcat when using the eDragon Admission Con-trol (EAC) to prevent application overload andthe accuracy of the self-managed Tomcat when


using the eDragon Load Monitor (ELM) to esti-mate its processor requirements by comparing theperformance of a single instance of the self-managedTomcat server with respect to the original Tomcat.Second, we evaluate our overload control strategywhich combines dynamic resource provisioningand admission control by running several experi-ments with two self-managed Tomcat instances ina multiprocessor hosting platform with the ECM.

5.1. Original Tomcat vs. self-managed Tomcat

In this section, we compare the performance of asingle instance of the self-managed Tomcat serverwith respect to the original Tomcat by running aset of experiments with different client workloadsin the environment previously described. In everyexperiment, the server receives client requests for10 minutes and after that we measure some averagemetrics. Fig. 4 shows Tomcat’s average throughputas a function of the number of new sessions per sec-ond initiated with the server comparing the originalTomcat server with respect to the self-managedTomcat server. Notice that the server throughputincreases linearly with respect to the input load(the server scales) until a determined number of cli-ents hit the server. At this point, the throughputachieves its maximum value. Until this point, theself-managed Tomcat behaves in the same way asthe original Tomcat. When the number of sessions

Fig. 4. Throughput of the original To

that overloads the server has been achieved, the ori-ginal Tomcat’s throughput begins to degrade whilethe number of sessions increases until it reachesapproximately 35% of the maximum achievablethroughput when the server is fully overloaded.The self-managed Tomcat avoids this degradationby applying the admission control mechanism,maintaining the throughput at the maximumachievable level, as shown in Fig. 4.

As well as degrading the server throughput, over-load also affects the server response time, as shownin Fig. 5. This figure shows Tomcat’s 95th-percentileresponse time (a metric typically used in the defini-tion of SLA contracts) as a function of the numberof new sessions per second initiated with the servercomparing the original Tomcat server with respectto the self-managed Tomcat server. Notice thatwhen the original Tomcat is overloaded theresponse time increases while the workloadincreases. On the other hand, the self-managedTomcat can maintain the response time at levelsthat guarantee a good quality of service to the cli-ents, even when the number of sessions that wouldoverload the server has been achieved, as shown inFig. 5.

Overload has another undesirable effect, espe-cially in e-commerce environments where sessioncompletion is a key factor. As shown in Fig. 6,which shows the number of sessions successfullycompleted comparing the original Tomcat server

mcat vs. self-managed Tomcat.

Fig. 5. 95th-percentile response time of the original Tomcat vs. self-managed Tomcat.

Fig. 6. Number of sessions successfully completed of the original Tomcat vs. self-managed Tomcat.


with respect to the self-managed Tomcat server,when the original Tomcat is overloaded only a fewsessions can completely finalize. Consider the greatrevenue loss that this fact can provoke for examplein an online store, where only a few clients can final-ize the acquisition of a product. On the other hand,the self-managed Tomcat can maintain the numberof sessions that can completely finalize, even when

the number of clients that would overload the serverhas been achieved.

Previous results demonstrate that the self-man-aged Tomcat is able to attend to more clients whilemaintaining good QoS. As commented, this occursas a result of refusing new SSL sessions that cannotbe attended. Refusing these sessions can also havean effect on the QoS that clients perceive. In order


to quantify this effect we have measured the numberof sessions refused by the server and the number ofsessions that time out waiting for a server responseas a function of the number of new sessions per sec-ond initiated with the server. Fig. 7 shows the resultsobtained comparing the original Tomcat server withrespect to the self-managed Tomcat server, demon-strating that the self-managed Tomcat does notdeteriorate the perceived QoS with respect to theoriginal behavior, since the total number of sessionsunattended by the server is lower. Notice that whenthe server is overloaded, surplus sessions tend totime out while waiting for the response of the origi-nal Tomcat, while the self-managed Tomcat directlyrefuses these sessions.

Finally, Fig. 8 shows the average number of pro-cessors allocated to the server during the executionas a function of the number of new sessions per sec-ond initiated with the server comparing the originalTomcat server with respect to the self-managedTomcat server. When running the original Tomcat,the hosting platform must statically over-provisionthe server with the maximum number of processors(four in this case) in order to achieve the maximumperformance, because it has no information aboutits processor requirements. However, this provokespoor processor utilization when the original Tomcatrequires fewer processors. On the other side, theELM implemented within the self-managed Tomcatis able to accurately calculate its processor require-

Fig. 7. Number of sessions refused and timed out of

ments and communicate them to the hosting plat-form, which can dynamically allocate the serveronly the required processors it needs, as shown inFig. 8, avoiding processor under-utilization butensuring good performance.

5.2. Multiple Tomcat instances

In this section, we evaluate our overload controlstrategy by running three multiprogrammed experi-ments with two self-managed Tomcat instances in amultiprocessor hosting platform with the ECM.Our first multiprogrammed experiment consists oftwo Tomcat instances with the same priority run-ning for 90 minutes in a 4-way hosting platform.Each Tomcat instance has a variable input loadover time, which is shown in the top part of Fig. 9representing the number of new sessions per secondinitiated with the server as a function of the time.Input load distribution has been chosen in orderto represent the different processor requirementcombinations when running two Tomcat instancesin a hosting platform. For example, as shown inFig. 4, when the total workload in the hosting plat-form is lower or equal to that of 3 new sessions/s,the hosting platform is not overloaded, i.e it can sat-isfy the processor requirements of all the applicationinstances. In Fig. 9 this occurs in the zones labeled A

(between 0 s and 1200 s) and C (between 2400 s and3000 s). The rest of the time, the requirements of the

the original Tomcat vs. self-managed Tomcat.

Fig. 8. Average number of allocated processors of the original Tomcat vs. self-managed Tomcat.


two Tomcat instances exceed the number of proces-sors of the hosting platform, therefore the hostingplatform is overloaded. The hosting platform canbe only slightly overloaded, provoking a low perfor-mance degradation if overload is uncontrolled (i.e.this occurs when the total workload is lower than8 new clients/s), as for instance in the zones labeled

Fig. 9. Incoming workload (top), achieved throughput (middle) and aLinux hosting platform with ECM if they have the same priority.

B (between 1800 s and 2400 s) and D (between3600 s and 4200 s); or completely overloaded, pro-voking a severe performance degradation if over-load is uncontrolled, as for instance in the zonelabeled E (between 4200 s and 4800 s).

As well as the input load over time, Fig. 9 alsoshows the allocated processors for each Tomcat

llocated processors (bottom) of two Tomcat instances in a 4-way


instance (bottom part) and the throughput achievedwith these processors (middle part), presenting thisinformation in a way that eases the correlation ofthe different metrics. Notice that, when the hostingplatform is not overloaded, the two Tomcatinstances receive all the processors they haverequested, obtaining the corresponding throughput.

When the hosting platform is overloaded, sincethe two instances have the same priority, the ECMdistributes the available processors depending onlyon each Tomcat request, which depends on eachTomcat’s input load. Therefore, the Tomcat instancewith the higher input load (that is, with more proces-sor requirements) receives more processors andhence achieves higher throughput. For example, inthe zone labeled B (between 1800 s and 2400 s), 3.5new sessions per second are initiated with Tomcat

1 while only 0.75 new sessions per second are initi-ated with Tomcat 2. In this case, input load fromTomcat 1 is higher than input load from Tomcat 2,thus Tomcat 1 will receive more processors thanTomcat 2. In particular, Tomcat 1 receives 3.5 pro-cessors on average (achieving a throughput ofaround 175 replies/s) while Tomcat 2 receives only0.5 processors on average (achieving a throughputof around 45 replies/s). Notice that a processor isbeing shared between Tomcat 1 and Tomcat 2.

In the same way, in the zone labeled D (between3600 s and 4200 s), 3.5 new sessions per second ini-tiate in Tomcat 2 while only 2.25 new sessions persecond initiate in Tomcat 1. In this case, input loadfrom Tomcat 2 is higher than input load from Tom-

cat 1, thus Tomcat 2 will receive more processorsthan Tomcat 1. In particular, Tomcat 2 receivesbetween 2.5 and 3.5 processors on average (achiev-ing a throughput of around 155 replies/s) whileTomcat 1 receives only between 0.5 and 1.5 proces-sors on average (achieving a throughput of around60 replies/s).

Finally, when the input load is the same for Tom-

cat 1 and Tomcat 2 (for instance in the zone labeledE (between 4200 s and 4800 s)), the two instancesreceive the same number of processors (two in thiscase), obtaining the same throughput (around115 replies/s).

Notice that, the EAC is ensuring that althoughthe number of required processors is not supplied,the server throughput is not degraded and theresponse time of admitted requests is not increased,as demonstrated in Section 5.1. This cannot be guar-anteed by the Linux default dynamic provisioningstrategy, and for this reason, our proposal achieves

considerably higher throughput when the hostingplatform is fully overloaded, as for instance in thezone labeled E (compare middle part of Fig. 9 vs.the bottom part of Fig. 1).

Our second multiprogrammed experiment hasthe same configuration as the previous one but, inthis case, Tomcat 1 has higher priority than Tomcat

2 (2 vs. 1). As the two instances have different prior-ities, the ECM distributes the available processorsdepending on each Tomcat request and on its prior-ity, following the equation presented in Section3.1.1. Fig. 10 shows the results obtained for thisexperiment presenting these results in the sameway as Fig. 9. Notice that now in the zone labeledB, processors allocated to Tomcat 1 have increased,oscillating between 3.5 and 4 on average, while pro-cessors allocated to Tomcat 2 have decreased, oscil-lating between 0 and 0.5 on average, because as wellas having higher input load, Tomcat 1 has alsohigher priority than Tomcat 2.

In the same way, in the zone labeled D, proces-sors allocated to Tomcat 2 have decreased, oscillat-ing between 1.5 and 2.5 on average, while processorsallocated to Tomcat 1 have increased, oscillatingbetween 1.5 and 2.5 on average, because althoughTomcat 2 has a higher input load, Tomcat 1 hashigher priority than Tomcat 2.

Finally, in the zone labeled E, although the inputload is the same for Tomcat 1 and Tomcat 2, Tomcat

1 now receives more processors than Tomcat 2 (3 vs.1), because Tomcat 1 has a higher priority thanTomcat 2. With this processor allocation, Tomcat

1 obtains higher throughput than Tomcat 2 (around160 replies/s vs. 60 replies/s).

Again, the EAC prevents the throughput degra-dation that occurred with the default Linuxdynamic provisioning strategy, thus the throughputachieved when the hosting platform is fully over-loaded (as for instance in zone labeled E) is higher(compare the middle part of Fig. 10 vs. the bottompart of Fig. 1).

In our last multiprogrammed experiment, wehave the same configuration as in the previousone, but with a slightly different behavior of theECM in order to benefit the execution of high prior-ity applications. In this experiment, a processor canbe only shared from low priority applications tohigh priority applications, but not the other wayaround. Fig. 11 shows the results obtained for thisexperiment presenting these results in the sameway as Fig. 9. As shown in this figure, in the zonelabeled B, processors allocated to Tomcat 1 have

Fig. 11. Incoming workload (top), achieved throughput (middle) and allocated processors (bottom) of two Tomcat instances in a 4-wayLinux hosting platform with ECM if Tomcat 1 has higher priority than Tomcat 2 and Tomcat 1 does not share processors with Tomcat 2.

Fig. 10. Incoming workload (top), achieved throughput (middle) and allocated processors (bottom) of two Tomcat instances in a 4-wayLinux hosting platform with ECM if Tomcat 1 has higher priority than Tomcat 2.


increased to almost 4 on average while processorsallocated to Tomcat 2 are now nearly 0, becauseTomcat 1 has higher priority than Tomcat 2 anddoes not share processors with lower priorityapplications.

In the same way, in the zone labeled D, proces-sors allocated to Tomcat 2 have decreased to 1 onaverage while processors allocated to Tomcat 1 haveincreased to 3 on average, because although Tomcat

2 has a higher input load, Tomcat 1 has a higher


priority than Tomcat 2 and does not share proces-sors. With this processor allocation, Tomcat 1 nowobtains higher throughput than in the previousexperiment (around 150 replies/s vs. 90 replies/s)while Tomcat 2 now achieves lower throughput(around 60 replies/s vs. 125 replies/s).

Notice that with this modification in the proces-sor sharing mechanism, high priority applicationscan achieve higher throughput, but resource utiliza-tion in the hosting platform is a little worse.

6. Related work

Literature dealing with overload in web applica-tions has widely considered the techniques used inthis paper; that is admission control, service differ-entiation and dynamic resource management.

Admission control and service differentiationhave been typically combined to prevent server over-load. However, some of these works [15,16] are basedon web systems serving only static content, and forthis reason, these solutions are not directly applica-ble on multi-tiered sites based on dynamic web con-tent. Because of this, some works (including ourproposal) have focused specifically on these kindsof systems. For example, [17] describes an adaptiveapproach to overload control in the context of theSEDA [18] Web server. SEDA decomposes servicesinto multiple stages, each one of which can performadmission control based on monitoring the responsetime through the stage. In [19], the authors present anadmission control mechanism for e-commerce sitesthat externally observes the execution costs ofrequests, distinguishing different request types.

Some of these works implement admission con-trol by means of control theory. For instance, Yak-sha [20] implements a self-tuning proportionalintegral controller for admission control in multi-tier e-commerce applications using a single queuemodel. Quorum [21] is a non-invasive softwareapproach to QoS provisioning for large-scale Inter-net services that ensures reliable QoS guaranteesusing traffic shaping and admission control at theentrance of the site, and monitoring service at theexit. In [22], the authors propose a scheme forautonomous performance control of Web applica-tions. They use a queuing model predictor and anonline adaptive feedback loop that enforces admis-sion control of the incoming requests to ensure thedesired response time target is met.

However, on most of the described works, over-load control is performed on a per request basis,

which may not be adequate for many session-basedapplications, such as e-commerce applications. Thishas motivated some proposals [23,24] to preventoverload by considering the particularities of ses-sion-based applications. However, none of themconsider complex e-commerce environments and acombinations of techniques as our approach does.

As commented, recent studies [4–6] have reportedthe considerable benefits of dynamically adjustingresource allocations to handle variable workloadsinstead of statically over-provisioning resources ina hosting platform. This premise has motivatedthe proposal of several techniques to dynamicallyprovision resources to applications in on-demandhosting platforms.

These proposals can be based on either a dedi-cated or a shared model [4]. In the dedicated model,some cluster nodes are dedicated to each applicationand the provisioning technique must determine howmany nodes to allocate to the application. In theshared model, which we consider in this paper, noderesources can be shared among multiple applica-tions and the provisioning technique needs to deter-mine how to partition resources on each nodeamong competing applications.

Hosting platforms based on a dedicated modeluse to be expensive in terms of space, power, cool-ing, and cost. For this reason, shared model consti-tutes an attractive low-cost choice for hostingenvironments when dedicated model cannot beafforded. For instance, distributed resource manage-ment technology of IBM’s WebSphere ExtendedDeployment [25] is based on hosting platforms thatsupport multiple web applications, with each webapplication deployed and replicated on differentbut overlapping subsets of machines.

Shared model can be implemented as a cluster ofservers where several applications can run in thesame server, or using a multiprocessor machine forhosting all the applications. Clusters of servers arewidely extended and are easily scalable but resourceprovisioning in these systems is more complex andhas some efficiency problems. First, software instal-lation and configuration overheads entail somelatencies when switching a server from one applica-tion to another [26]. The second problem arises insession-based environments when the session statemust be transferred between servers. These prob-lems have motivated some proposals for reducingthese latencies [27]. However, as we are consideringe-commerce applications, which are typically ses-sion-based, and we want to implement an overload


control strategy able to react to unexpected work-load changes in a very short time, we focus onSMP hosting platforms.

Depending on the hosting platform architectureconsidered, the problem of provisioning resourcesin cluster architectures has been addressed in[26,28–30] by allocating entire machines (dedicatedmodel) and in [31–33,25] by sharing node resourcesamong multiple applications (shared model).

Depending on the mechanism used to decide theresource allocations, dynamic resource managementproposals can be classified as: control theoreticapproaches with a feedback element [34–36], open-loop approaches based on queuing models toachieve resource guarantees [31,37,38,30] and obser-vation-based approaches that use runtime measure-ments to compute the relationship betweenresources and QoS goal [33].

However, control theory solutions require train-ing the system at different operating points to deter-mine the control parameters for a given workload.Queuing models are useful for steady state analysisbut do not handle transients accurately. Observa-tion-based approaches (such as our proposal) aremost suited for handling varying workloads andnon-linear behaviors. In addition, our proposal isfully adaptive to the available resources and to theincoming load in the server instead of using prede-fined thresholds (e.g. [28]).

Nevertheless, most of the described works fail atachieving a global solution for preventing overload.Only the works presented in [39,25] demonstratethat the most effective way to handle overload mustconsider a combination of techniques instead ofconsidering each technique in isolation. In thisaspect, these works are similar to our proposal.

In addition, other novelties of our proposal withrespect to previous work include the inclusion of e-business indicators to the resource allocation pro-cess (suggested only in a few works such as [32])or the consideration of the particularities of secureweb applications when dealing with overload.

Other approaches for dealing with overloadinclude request scheduling and service degradation.Request scheduling refers to the order in which con-current requests should be served. Typically, servershave left this ordination to the operating system.But, as it is well known from queuing theory thatshortest remaining processing time first (SRPT)scheduling minimizes queuing time (and thereforethe average response time), some proposals [40,41]implement policies based on this algorithm to prior-

itize the service of short static content requests infront of long requests. This prioritized schedulingin web servers has proven effective in providing sig-nificantly better response time to high priorityrequests at a relatively low cost to lower priorityrequests. However, although scheduling canimprove response times, under extreme overloadsother mechanisms become indispensable. Anyway,better scheduling can always be complementary toany other mechanism.

Service degradation is based on avoiding refusingclients as a response to overload but reducing theservice offered to clients [42,43,39,17], for examplein the form on providing smaller content (e.g. lowerresolution images).

7. Conclusions and future work

In this paper, we have proposed an overload con-trol strategy for secure web applications that bringstogether admission control based on SSL connec-tion differentiation and dynamic provisioning ofplatform resources in order to adapt to changingworkloads avoiding the QoS degradation.

Our approach is based on a global resource man-ager responsible for periodically distributing theavailable processors among the web applicationsfollowing a determined policy. The resource man-ager can be configured to implement different poli-cies, and can consider traditional indicators (i.e.response time) as well as e-business indicators (i.e.customer’s priority).

In our proposal, the resource manager and theapplications cooperate to manage the resources, ina manner which is totally transparent to the user,using bi-directional communication. On one hand,the applications request the resource manager forthe number of processors needed to handle theirincoming load without QoS degradation. On theother hand, the resource manager can be requestedat any time by the applications to inform themabout their processor assignments. With this infor-mation, the applications can apply an admissioncontrol mechanism to limit the number of admittedrequests so they can be served with the allocatedprocessors without degrading their QoS. The admis-sion control mechanism is based on SSL connectiondifferentiation; depending on if the SSL connectionreuses an existing SSL connection on the server ornot. Prioritizing resumed SSL connections maxi-mizes the number of sessions completed success-fully, allowing e-commerce sites which are based


on SSL to increase the number of transactions com-pleted, thus generating higher profit.

Our evaluation demonstrates the benefit of ourapproach for efficiently managing the resources onhosting platforms and for preventing servers over-load on secure environments. Our proposal per-forms considerably better than the default Linuxdynamic resource provisioning strategy especiallywhen the hosting platform is fully overloaded.Although our implementation targets the Tomcatapplication server, the proposed overload controlstrategy can be applied on any other server.

Our future work goes towards the extension ofour proposal in order to support heterogeneousapplications in the hosting platform. With respectto this, we are currently working with the SPEC-Web2005 benchmark. We are also considering theuse of virtualization technologies in order to pro-vide better performance isolation to the applicationsrunning in the hosting platform. In addition, weplan to improve the resource utilization in the host-ing platform when using the ECM by consideringfractional allocation of processors.

Overload control and resource management ofweb applications on shared hosting platforms arehot topics in current research in this area. In addi-tion, security has appeared as an important issuethat can heavily affect the scalability and perfor-mance of web applications. This work effectivelyfaces all these issues in a global approach, creatinga solid base for further research toward autonomicweb systems.

Acknowledgments

This work is supported by the Ministry of Sci-ence and Technology of Spain and the EuropeanUnion (FEDER funds) under Contracts TIN2004-07739-C02-01 and TIN2007-60625 and by the BSC(Barcelona Supercomputing Center). For additionalinformation about the authors, visit the BarcelonaeDragon Research Group web site [44].

References

[1] E. Rescorla, HTTP over TLS. RFC 2818, May 2000.[2] A.O. Freier, P. Karlton, C. Kocher, The SSL Protocol.

Version 3.0. November 1996. URL <http://wp.netscape.com/eng/ssl3/ssl-toc.html>.

[3] J. Guitart, D. Carrera, V. Beltran, J. Torres, E. Ayguade,Session-based adaptive overload control for secure dynamic

web applications, in: 34th International Conference onParallel Processing (ICPP’05), Oslo, Norway, June 14–17,2005, pp. 341–349.

[4] A. Andrzejak, M. Arlitt, J. Rolia, Bounding the resourcesavings of utility computing models, Tech. Rep. HPL-2002-339, HP Labs, December 2002.

[5] A. Chandra, P. Goyal, P. Shenoy, Quantifying the benefits ofresource multiplexing in on-demand data centers, in: 1stWorkshop on Algorithms and Architectures for Self-Man-aging Systems (Self-Manage 2003), San Diego, California,USA, June 11, 2003.

[6] A. Chandra, P. Shenoy, Effectiveness of dynamic resourceallocation for handling internet flash crowds, Tech. Rep.TR03-37, Department of Computer Science, University ofMassachusetts, USA, November 2003.

[7] Jakarta Project. Apache Software Foundation, JakartaTomcat Servlet Container. URL <http://jakarta.apache.org/tomcat>.

[8] J. Guitart, V. Beltran, D. Carrera, J. Torres, E. Ayguade,Characterizing secure dynamic web applications scalability,in: 19th International Parallel and Distributed Sympo-sium (IPDPS’05), Denver, Colorado, USA, April 4–8,2005.

[9] Sun Microsystems, Java Native Interface (JNI). URL <http://java.sun.com/j2se/1.5.0/docs/guide/jni/>.

[10] D. Menasce, V. Almeida, R. Fonseca, M. Mendes, Business-oriented resource management policies for e-commerceservers, Perform. Evaluation 42 (2–3) (2000) 223–239.

[11] C. Amza, A. Chanda, E. Cecchet, A. Cox, S. Elnikety, R.Gil, J. Marguerite, K. Rajamani, W. Zwaenepoel, Specifica-tion and implementation of dynamic web site benchmarks,in: IEEE 5th Annual Workshop on Workload Character-ization (WWC-5), Austin, Texas, USA, November 25, 2002.

[12] D. Mosberger, T. Jin, httperf: A tool for measuring webserver performance, in: Workshop on Internet ServerPerformance (WISP’98) (in conjunction with SIGMET-RICS’98), Madison, Wisconsin, USA, June 23, 1998, pp.59–67.

[13] B. Schroeder, A. Wierman, M. Harchol-Balter, Open versusclosed: a cautionary tale, in: 3rd Symposium on NetworkedSystems Design & Implementation (NSDI’06), San Jose, CA,USA, May 8–10, 2006, pp. 239–252.

[14] MySQL. URL <http://www.mysql.com/>.[15] X. Chen, H. Chen, P. Mohapatra, ACES: an efficient

admission control scheme for QoS-Aware web servers,Computer Communications 26 (14) (2003) 1581–1593.

[16] T. Voigt, R. Tewari, D. Freimuth, A. Mehra, Kernelmechanisms for service differentiation in overloaded webservers, in: 2001 USENIX Annual Technical Conference,Boston, MA, USA, June 25–30, 2001, pp. 189–202.

[17] M. Welsh, D. Culler, Adaptive overload control for busyinternet servers, in: 4th Symposium on Internet Technologiesand Systems (USITS’03), Seattle, Washington, USA, March26–28, 2003.

[18] M. Welsh, D. Culler, E. Brewer, SEDA: An architecture forwell-conditioned, scalable internet services, in: 18th Sympo-sium on Operating Systems Principles (SOSP’01), Banff,Canada, October 21–24, 2001, pp. 230–243.

[19] S. Elnikety, E. Nahum, J. Tracey, W. Zwaenepoel, A methodfor transparent admission control and request scheduling ine-commerce web sites, in: 13th International Conference on

http://wp.netscape.com/eng/ssl3/ssl-toc.html

http://wp.netscape.com/eng/ssl3/ssl-toc.html

http://jakarta.apache.org/tomcat

http://jakarta.apache.org/tomcat

http://java.sun.com/j2se/1.5.0/docs/guide/jni/

http://java.sun.com/j2se/1.5.0/docs/guide/jni/

http://www.mysql.com/

Jordi Guitart received the MS and PhDdegrees in Computer Science at theTechnical University of Catalonia(UPC), in 1999 and 2005, respectively.Currently, he is a collaborator professorand researcher at the Computer Archi-tecture Department of the UPC. Hisresearch interests are oriented towardsthe efficient execution of multithreadedJava applications (especially Java appli-cation servers) on parallel systems.


World Wide Web (WWW’04), New York, USA, May 17–22,2004, pp. 276–286.

[20] A. Kamra, V. Misra, E. Nahum, Yaksha: a controller formanaging the performance of 3-tiered websites, in: 12thInternational Workshop on Quality of Service (IWQoS2004), Montreal, Canada, June 7–9, 2004.

[21] J. Blanquer, A. Batchelli, K. Schauser, R. Wolski, Quorum:flexible quality of service for internet services, in: 2ndSymposium on Networked Systems Design and Implemen-tation (NSDI’05), Boston, MA, USA, May 2–4, 2005, pp.159–174.

[22] X. Liu, J. Heo, L. Sha, X. Zhu, Adaptive Control of Multi-Tiered Web Application Using Queueing Predictor, in: 10thIEEE/IFIP Network Operations and Management Sympo-sium (NOMS 2006), Vancouver, Canada, April 3–7,2006.

[23] H. Chen, P. Mohapatra, Overload control in QoS-aware webservers, Computer Networks 42 (1) (2003) 119–133.

[24] L. Cherkasova, P. Phaal, Session-based admission control: amechanism for peak load management of commercial websites, IEEE Transactions on Computers 51 (6) (2002) 669–685.

[25] G. Pacifici, W. Segmuller, M. Spreitzer, M. Steinder, A.Tantawi, A. Youssef, Managing the response time for multi-tiered web applications, Tech. Rep. RC23651, IBM, Novem-ber 2005.

[26] K. Appleby, S. Fakhouri, L. Fong, G. Goldszmidt, S.Krishnakumar, D. Pazel, J. Pershing, B. Rochwerger,Oceano – SLA-based management of a computing utility,in: IFIP/IEEE Symposium on Integrated Network Manage-ment (IM 2001), Seattle, Washington, USA, May 14–18,2001, pp. 855–868.

[27] G. Choi, J. Kim, D. Ersoz, M. Yousif, C. Das, ExploitingNIC memory for improving cluster-based webserver perfor-mance, in: IEEE International Conference on ClusterComputing (Cluster 2005), Boston, MA, USA, September27–30, 2005.

[28] S. Bouchenak, N.D. Palma, D. Hagimont, C. Taton,Autonomic management of clustered applications, in: Inter-national Conference on Cluster Computing (Cluster 2006),Barcelona, Spain, September 25–28, 2006.

[29] S. Ranjan, J. Rolia, H. Fu, E. Knightly, QoS-driven servermigration for internet data centers, in: 10th InternationalWorkshop on Quality of Service (IWQoS 2002), MiamiBeach, Florida, USA, May 15–17, 2002, pp. 3–12.

[30] B. Urgaonkar, P. Shenoy, A. Chandra, P. Goyal, Dynamicprovisioning of multi-tier internet applications, in: 2ndInternational Conference on Autonomic Computing(ICAC’05), Seattle, Washington, USA, June 13–16, 2005,pp. 217–228.

[31] A. Chandra, W. Gong, P. Shenoy, Dynamic resourceallocation for shared data centers using online measure-ments, in: 11th International Workshop on Quality ofService (IWQoS 2003), Berkeley, California, USA, June 2–4, 2003, pp. 381–400.

[32] J. Norris, K. Coleman, A. Fox, G. Candea, OnCall:defeating spikes with a free-market application cluster, in:1st International Conference on Autonomic Computing(ICAC’04), New York, New York, USA, May 17–18,2004, pp. 198–205.

[33] P. Pradhan, R. Tewari, S. Sahu, A. Chandra, P. Shenoy, Anobservation-based approach towards self-managing web

servers, in: 10th International Workshop on Quality ofService (IWQoS 2002), Miami Beach, Florida, USA, May15–17, 2002, pp. 13–22.

[34] T. Abdelzaher, K. Shin, N. Bhatti, Performance guaranteesfor web server end-systems: a control-theoretical approach,IEEE Transactions on Parallel and Distributed Systems 13(1) (2002) 80–96.

[35] M. Karlsson, C. Karamanolis, X. Zhu, An adaptive optimalcontroller for non-intrusive performance differentiation incomputing services, in: International Conference on Controland Automation (ICCA’05), Budapest, Hungary, June 26–29, 2005.

[36] X. Liu, X. Zhu, S. Singhal, M. Arlitt, Adaptive entitlementcontrol to resource containers on shared servers, in: 9thIFIP/IEEE International Symposium on Integrated Net-work Management (IM 2005), Nice, France, May 15–19,2005.

[37] R. Doyle, J. Chase, O. Asad, W. Jin, A. Vahdat, Model-based resource provisioning in a web service utility, in:4th Symposium on Internet Technologies and Systems(USITS’03), Seattle, Washington, USA, March 26–28,2003.

[38] Z. Liu, M. Squillante, J. Wolf, On maximizing service-level-agreement profits, in: 3rd ACM Conference on ElectronicCommerce (EC 2001), Tampa, Florida, USA, October 14–17, 2001, pp. 213–223.

[39] B. Urgaonkar, P. Shenoy, Cataclysm: handling extremeoverloads in internet services, Tech. Rep. TR03-40, Depart-ment of Computer Science, University of Massachusetts,USA, December 2003.

[40] M. Crovella, R. Frangioso, M. Harchol-Balter, Connectionscheduling in web servers, in: 2nd Symposium on InternetTechnologies and Systems (USITS’99), Boulder, Colorado,USA, October 11–14, 1999.

[41] M. Harchol-Balter, B. Schroeder, N. Bansal, M. Agrawal,Size-based scheduling to improve web performance, ACMTransactions on Computer Systems (TOCS) 21 (2) (2003)207–233.

[42] T. Abdelzaher, N. Bhatti, Web content adaptation toimprove server overload behavior, Computer Networks 31(11–16) (1999) 1563–1577.

[43] S. Chandra, C. Ellis, A. Vahdat, Differentiated multimediaweb services using quality aware transcoding, in: IEEEINFOCOM 2000, Tel-Aviv, Israel, March 26–30, 2000, pp.961–969.

[44] Barcelona eDragon research group. URL <http://research.ac.upc.edu/eDragon>.

http://research.ac.upc.edu/eDragon

http://research.ac.upc.edu/eDragon


David Carrera received the MS degree atthe Technical University of Catalonia(UPC) in 2002. Since then, he is workingon his PhD at the Computer Architec-ture Department at the UPC, where he isalso an assistant professor. His researchinterests are focused on the developmentof autonomic J2EE Application Serversin parallel and distributed executionplatforms.

Vicenc� Beltran received the MS degree atthe Technical University of Catalonia(UPC) in 2004. Since then, he is workingon his PhD at the Computer Architec-ture Department at the UPC. Currently,he is member of the research staff of theBarcelona Supercomputing Center(BSC). His research interests cover thescalability of new architectures for highperformance servers.

Jordi Torres received the engineeringdegree in Computer Science in 1988 andthe PhD in Computer Science in 1993,both from the Technical University ofCatalonia (UPC) in Barcelona, Spain.Currently, he is manager for eBusinessplatforms and Complex Systems activi-ties at BSC-CNS, Barcelona Supercom-puting Center. He also is AssociateProfessor at the Computer ArchitectureDepartment of the UPC. His research

interests include applications for parallel and distributed systems,

web applications, multiprocessor architectures, operating sys-tems, tools and performance analysis and prediction tools. He hasworked in a number of EU and industrial projects.

Eduard Ayguade received the engineeringdegree in telecommunications in 1986and the PhD in Computer Science in1989, both from the Technical Universityof Catalonia (UPC) in Barcelona, Spain.He has been lecturing at UPC on com-puter organization and architecture andoptimizing compilers since 1987. He hasbeen a professor in the Department ofComputer Architecture at UPC since1997. His research interests cover the

areas of processor micro-architecture and ILP exploitation, par-allelizing compilers for high-performance computing systems and
tools for performance analysis and visualization. He has pub-lished more than 100 papers on these topics and participated inseveral multiinstitutional research projects, mostly in the frame-work of the European Union ESPRIT and IST programs.

Documents

Dynamic CPU provisioning for self-managed secure web ...personals.ac.upc.edu/jguitart/HomepageFiles/COMNET08.pdfDynamic CPU provisioning for self-managed secure web applications in