Information technology (IT)
is transforming society at an accelerating pace, from business systems and
social and political infrastructure to our personal lives. But the current IT
development path will at best severely underutilize its potential and at worst
yield a fragile IT infrastructure unable to meet many of society’s most vital
needs, such as emergency preparedness and response and energy usage monitoring
and control. We propose to establish the Center
for Information Technology Research in the Interest of Society (CITRIS) to sponsor collaborative, IT-focused research to find solutions to
grand-challenge social and commercial problems affecting the quality of life of
individuals and organizations. CITRIS will be a multicampus center, including
UC Berkeley (UCB), UC Davis (UCD) and UC Merced (UCM). This proposal is to
support the key underpinning long term, high risk scientific and technological
research endeavors within CITRIS. The NSF-ITR award will have the potential of
high leverage from other CITRIS activities paid for by private and industrial
donations (Appendix A.)
CITRIS’s driving
applications include (1) boosting efficiency of energy production and
consumption, and (2) saving lives and property and establishing emergency
response IT infrastructure in the wake of disasters, among others [1a]. The
solutions to these applications have the common feature that they depend on
highly-distributed, reliable, and secure (briefly: high-confidence) information systems that can evolve and adapt to
radical changes in their environment, delivering networked information services
and up-to-date sensor network data stores over ad-hoc, flexible and fault
tolerant networks that adapt to the people and organizations that need them. We
call such systems Societial-Scale
Information Systems (SISs). An SIS must easily integrate devices, ranging
from distributed ad-hoc sensors and actuators, to hand-held information
appliances (such as PDAs), workstations, and room-sized cluster supercomputers
at Network Operation Centers. Such devices must be connected by ad-hoc sensor
nets, extranets, short-range wireless networks as well as by very
high-bandwidth, long-haul optical backbones. Distributed data and services must
be secure, reliable, and high-performance, even if part of the system is down,
disconnected, under repair, or under (information) attack. The SIS must
configure, install, diagnose, maintain, and improve its quality of service
features — this applies especially to the vast numbers of sensors that will be
cheap, widely dispersed, and even disposable. Finally, the SIS must allow vast
quantities of data to be easily and reliably accessed, manipulated,
interactively explored, disseminated, and used in a customized fashion by
users, from expert to novice.
The web, telephone network,
and some military and intelligence systems are limited, albeit highly
successful, SISs. Yet none satisfies the needs of the societal problems. Only
by attacking more than one driving application will we learn to design a system
that will meet the needs of other applications that we can only now imagine.
CITRIS will have 3 tiers of
activity: Driving Applications (for
which we deliver an Energy Management SIS (§2.1) and a Disaster Response SIS
(§2.2)), SIS Design (Sensor level
(§3.1), Service level (§3.2), Data Handling (§3.3), Human-Centered Computing
(§3.4)), and Foundations (Reliability
(§4.1), Availability (§4.2), and Security (§4.3)). Each activity has a leader
and affiliates shown below.
For the two driving
applications, we will use and leverage ubiquitous wireless sensor devices,
called SmartMotes, designed by us [1b], which are about one inch
cube in size and include an embedded 8-bit microcontroller, a radio, a sensor
board with microsensors for measuring acceleration, strain, temperature, light,
relative humidity and a battery. We have had around 500 (and expect to have at
least 1000 more) of these made for us by Crossbow, Inc.(not priced on this
grant). Each of these with a 1% duty cycle and 2 AA batteries will last about a
year. The next generation of these MEMS devices called SmartDust (2mm cube)
will have this functionality integrated into a single chip with power
harvesting from the environment, ultra-efficient radio (the size of the sensor
will be dominated by the antenna size), and will provide the distributed,
adaptive self-organizing ubiquitous sensing and computational fabric. All are our
design [1b].
2. Driving Applications
2.1 Energy
Management (Target: 2 pages) (Faculty: Rabaey; Pister, Arens, Sastry)
The deregulation of electricity
and the increasing cost of natural gas have made energy front page news. A
recent CITRIS working group of the above faculty plus key researchers in energy
and resources groups at Lawrence Berkeley Laboratories have established that
that SISs can address and resolve major issues hampering the effective
generation, distribution and utilization of energy, potentially saving
$55B/year and 35M metric tons/year of carbon emissions nationwide [2.1a] just
from better control of HVAC in large buildings. We will demonstrate such an SIS
on the Berkeley campus.
It is possible to save energy on the demand side and
the supply side; we first consider demand.
Demand Side. Two-thirds of primary energy use is in the form of electricity and
about two-thirds of all electricity generated nationally is used in buildings
[2.1b]. We will use SISs consisting of high density wireless sensor/actuator
networks to enable energy conscious control of buildings (including reducing
both total energy as well as peak power demanded. (Wires can be up to 90% of
the total cost of such a system, so they must be wireless.)
·
High-density
sensor networks will allow existing environmental control technologies
to operate in more sophisticated and energy-efficient ways, and the redundancy
of sensors will improve the reliability of control by detecting faulty signals.
·
High-density
sensor networks will also allow new energy-efficient environmental
control technologies to become feasible for the first time.
Imagine
the following scenario: All significant energy-consuming devices in buildings
are equipped with a multifunctional metering, communications, and control
devices. These devices provide real-time information to building owners and
occupants on rate of energy use (e.g., kW), cost associated with energy use
rate ($ per hour), cumulative energy usage and associated costs for past 24 h,
month, and year. By itself, this
information would help energy users to make rational decisions such as how much
and when to use certain devices, and when to take inefficient ones out of
service.
In addition to reducing
total energy use, it is important to limit peak demand through mechanisms like
real-time pricing. Real-time pricing will require more sophisticated
electricity meters than are currently in common use. However, devices that are
moderate to heavy electricity users should also be equipped with controls that
would permit rational response to real-time price signals. With the right combination of sensing and processing
smart appliances could use electricity mostly at off-peak periods.
Thus, by making end-users of the energy-supply chain part of an
integrated network of monitoring, information processing, controlling, and
actuating devices, we enable a wide range of techniques that will both help to
spread the consumption of energy over time reducing peak demand, as well as
help to reduce the average demand of energy through efficiency increase. While
the process of designing, constructing, starting up, controlling, and
maintaining building systems is very complex, and changing the building and
appliance industry overnight is not possible, we believe that a gradual
roll-out plan can show impact in the very near future. We envision a
triple-tiered research program:
Phase 1: Passive monitoring. We will monitor energy usage of
buildings and the health of individual appliances. It is estimated that the
cost of “broken energy systems” in commercial buildings costs 30% of their operational budget
($45B/year nationwide) [2.1a]. This information feedback plays the dual role of
(1) primary feedback to the user on energy-consumption statistics, and (2)
monitoring the health of the equipment and the environment – detect problems at
the source. We will start by fully instrumenting several buildings on the UCB
campus with light and temperature sensors in each room, and make the data
available on a website. Then we will make a wireless power monitor with a
standard 3-prong feed-through
receptacle to monitor power consumption of electronic devices over time,
providing roughly one thousand such devices for rotating use around the campus
to educate, chart usage, verify compliance, real-time display of consumption in
a given room or lab. The impact of these simple devices could be tremendous. A
similar device would be passively coupled to high-power wiring to monitor total
power consumption through breaker boxes.
This would give us a much finer granularity of power-consumption
details, and let us look at clusters of rooms, floors, etc.
We will also instrument the campus steam network.
Phase 2: Developing Mechanisms for Monitoring and Control. By combining the monitoring information with feedback on the cost of usage (augmented by an hourly pricing system reflecting wholesale market prices) helps to close the feedback loop between end-user and supplier. Key challenges here are to develop a pricing scheme which does not in itself cause instabilities in the bidding and consumption process by hierarchical verification.
·
Phase 3: Active
Energy-Management through Feedback and Control¾Smart
Buildings and Intelligent Appliances. The addition of instantaneous and distributed
control functionality to the sensory and monitoring functions (measuring
the operation of systems such as climate conditioning and lighting) increases
the energy-efficiency of these functions dramatically, while at the same time
improving the comfort of the users. We will experiment with control of power at
UCB, enforcing compliance with load reduction, and charging/rewarding
departments according to their use during peak times.
Supply Side: The deployment of SISs can substantially increase the efficiency and
improve the control of the electricity-supply infrastructure as well. Through a
combination of sensing, communication, computation, and control, the network
can achieve major improvements in (1) the management and utilization of the
distributed generation resources, (2) the efficiency of the distribution
network, and (3) dealing with overflow conditions and emergencies. Especially
the fine granularity of the information contents, combined with its timeliness,
make it possible to introduce management and control techniques that otherwise
would be impossible or useless. We list a few examples below; their ultimate
implementation will require collaboration with State agencies.
Increase in
grid transmission capacity. Constraints on line flows limit the use of the
transmission grid to transfer power from the least expensive sources. Such line
flow limits are proxy measures to prevent overheating of transmission line or
other transmission equipment and sag of the lines (that could result in
touching of ground
causing shortingtrees leading to catastrophic failures).
Without direct measurements the flow limits are set conservatively thus unnecessarily
limiting the utilization of the transmission grid. Massive deployment of
sensors that could measure and transmit data on temperature and line sag
coupled with computation that would assimilate such data could significantly
increase grid utilization and enhance the efficiency of electricity supply.
While power companies currently using global environmental data to determine
the load a transmission line can carry at a given time, dynamic and real-time
distributed measurements of the weather conditions may increase the peak load
of a wire as much as 30%.
Emergency
Management. In
case of emergencies (natural disasters, an overburdening of the distribution
network, or through shortfall in available energy), the utilities must now lock
off complete blocks of the power-grid (e.g. rolling blackouts). These blackouts
have an enormous impact on the economy, and may cause life-threatening
situations. The increased control granularity made available through widely
dispersed SISs would make it possible to selectively manage power-consuming
components and systems, and avoid blunt load-shedding. In the case of rolling
blackouts, for instance, it would be possible to keep critical businesses and
functions such as traffic lights on line. When even a larger granularity is
available, one could even turn off non-essential devices, such as
air-conditioning units, individually. For example, devices could routinely be
equipped with a “standby” setting in addition to direct on/off control.
2.2 Disaster
Risk Reduction and Emergency Response(Faculty: Fenves, Glaser, Kanafani,
Demmel)
Each year large natural disasters cost the U.S.
hundreds of lives, many critical structures, and billions of dollars in
economic disruption. Earthquakes present a substantial risk to large cities,
with probability >
60% that a major earthquake will strike California in the next 30 years.
Casualty estimates number in the thousands, direct damage losses are on the
order of $100 to $200 billion and indirect losses due to economix disruptions
could be several times greater. Seismic
hazard is not confined to California; with equally significant risks from the
New Madrid, Boston, and Charleston earthquake zones.
The
NRC report also emphasizes the need to tailor information to consumers in a
disaster, who comprise three main groups: (1) system designers and developers,
(2) official emergency response staff, (3) the public. Designing for these
groups, especially the last two, requires careful user needs analysis. We will
apply our extensive experience [2.2b, 2.2c] in needs analysis to these
communities for SIS.
A current example of a regional sensor network
is the Tri-Net system in California [2.2a, 2.2d, 2.2e] which contains
approximately 750 ground accelerometers, communicating by digital telemetry to
a central server. The ground motion
data collected during an earthquake is used to develop “shakemaps” showing the
distribution of ground motion. Currently,
the shakemap is used to estimate losses [2.2f, 2.2g] although there is no direct
measurement or assessment of loss. With the proposed SIS, information gathering
can be scaled to much denser coverage of not only the ground motion but more
importantly direct sensing of the effects of the ground motion on individual
structures in an urban region.
The most common approach to structural damage
prognoses has been global modal analysis [2.2i] although recent full-scale experiments show that it is far too
insensitive to be useful in practice [2.2j]. A prime example is the modal
analysis work on an abandoned bridge in Albuquerque, NM, where there was only a small change seen in modal
parameter after the main longitudinal plate girder was cut more than 2/3[2.2k].
Only
after the main longitudinal plate girder was cut more than 2/3 through was even
a small change seen in the modal parameters [2.2k]. Global modal
analysis is inadequatedoomed
for several reasons: Because evolving damage is local, a complex structure will
redistribute internal forces to stiffer members as particular beams, columns,
etc. are weakened. Only when damage is sufficient to affect performance of the
entire structure will it be visible through global modal analysis – well after
the safety of the structure is compromised.
Evaluation of damage in structural terms
(diagnosis of cracking, yielding, buckling, etc.) is not sufficient for making
decisions about the safety of a building.
A prognosis must be based on forward simulation of the effects of the
damage with the current loading and expected aftershocks, and requires
integration of measuring and modeling, constantly updating both the model and
information sensed. Each building can
have an online model of itself, constantly updated with parameters estimated
from the damage detection network. As a
major change in state is detected, the updated model will determine the safety
of the structure in the short term,
prioritize the inspection and repair in the longer term, and reprogram the
sensor agents and constitutive model as needed. Information on prognosis may be condensed into an automatic
notification system for occupants, including safe egress routes.
2.2.3 Approach to Structural Data Interpretation. Development of analytical
tools for determining system response in terms of damage initiation and damage
propagation - understanding the interaction between the structural system and
its components - is essential for performance-based design. The system
identification (SI) approach is a powerful statistical tool to quantify and
assess system damage parameters, and has been applied by many structural
researchers [2.2l,2.2m.2.2n,2.2o,2.2p,2.2q,2.2r,2.2s].
System identification requires a model, whether
black-box (e.g. a linear filter) or white box (a physical model). Identification can be made through the
extended Kalman filter [2.2t.2.2u]
which has successfully identified various physical systems. Physical
parameters like elastic moduli, damping coefficients and effects of
soil-structure interaction, can be identified.[2.2v,2.2w,2.2p,2.2x,2.2s].
Updating parameterized constitutive models with measured global response data
has been attempted [2.2y,2.2z]. Integration of finite element modeling with SI
of boundary conditions has been done successfully at UCB [2.2q]. The most
promising parameterization of an evolving system is a unified methodology based
on Bayesian/State-Space identification and adaptive estimation [2.2aa,2.2v].
With updated models, developed locally, forward
simulations can be used to prognosticate the effects of damage. This is
particularly critical when evaluating the safety of a building after a major
earthquake and estimating the probability of collapse in an aftershock. For
forward simulation, parameterized models can be updated and assembled in an
object-oriented framework for simulation [2.2bb,2.2cc]. The models will be
updated locally and assembled over the network in a dynamic process depending
on processing, communication, and power available. Simulations may be centralized
or distributed also. There can be hierarchies of simulation models: reduced
parameter sets for rapid estimates, and more detailed models as processing power
becomes available or sensitivity analysis shows that more refined models will
reduce uncertainty in the prognosis.
Milestones. In year 1 we will develop
model update procedures using sensor data and evaluate with small-scale
laboratory tests. In year 2 we will implement sensing and
diagnosis/progrognosis on structural specimens of building frames that will be
tested on the Pacific Earthquake Engineering Research Center’s earthquake
simulator (“shaking table”). This will provide a controlled laboratory setting
to serve as the first-level testbed for the sensors, networking, and
algorithms. In year 3: we will do field deployment on one of the new
buildings planned for construction at UCB during the scope of the project. We
anticipate collecting data during construction with forced-vibration tests to
verify the system.
2.2.4. SIS for Inventories
of Buildings and Lifeline Networks. Scaling up from individual buildings, owners of
multiple buildings (corporate or university campus) are concerned with a
disaster’s effect on the operation of their enterprise. Similarly, utility
(electricity, gas, water) and transportation networks (highways, railways,
ports, harbors, airports) must synthesize damage information to determine how
to restore service. Owners of multiple facilities require damage assessment,
repair estimates, prioritization of repair, and acquiring and deploying
resources at short time scales rather than weeks or months for repair.
Emergency response staff must be able to
reach key decision-makers and coordinate with other response teams. This
requires new techniques for representing user expertise and current activity.
We will develop tools to build expertise profiles of decision-makers, track
their post-disaster actions, and provide a “knowledge network” so staff can (i)
find an available decision-maker with relevant expertise and who has (ii)
reviewed particular information about the situation and (iii) provide a
visualization of disaster-response teams, including members, information they
are reviewing, and issues that they are dealing with. Such distributed networks can accelerate
decision-making in time-critical situations, and are tolerant of communication failures. A prototype will be built for
the UCB campus.
3.
SIS
Design
The key open problems in designing an SIS to support
the driving applications are as followsgiven below. We will demonstrate such SISs
on room, building and campus scale.
Sensor Level Architecture (§3.1): What is the architecture of a massive distributed sensor system? How should it
be programmed, synchronized, and maintained in the face of real time and low
power constraints, intermittent and permanent failures of individual sensors,
the need to download new software periodically, and physical inaccessibility
preventing local maintenance?
Service Architecture for Distributed Systems (§3.2): A sensor network will be just one component in an SIS of
multiple data repositories, computational services, and system or user
interfaces; some commercial, government, or academic; some reliable and some
unreliable; some trustworthy or untrustworthy; created dynamically under no
central authority. How will these services be created, peered and interfaced in
real time?
Adaptive Data Management
and Query Processing (§3.3): The
data collected by sensor networks will be massive, real-time, intermittent, and
noisy. How will it be collected, summarized, filtered and indexed to provide
diverse users the data they want reliably and in real-time?
Human-Centered-Computing (§3.4): How
do we determine and support the needs of diverse users who need (some of) the
data? How should the data be presented to help them make decisions?
We will demonstrate such SISs on the room, building
and campus scale.
3.1 Sensor Network Level Architecture
(Target: 1 page) (Faculty: Culler, Pister)
3.1.1
Experimental Networked Sensor System Architecture. We
will build on the SmartMotes and SmartDust described in §1, with which we have
extensive experience: We recently dropped a number of styrofoam-encased
SmartMotes from an airplane. They landed, formed an ad-hoc wireless network,
tracked the movement of nearby traffic, and sent it to a remote server. But
many problems remain
The sensor network
architecture has 3 tiers. The microsensor
tier consists of the sensor devices
themselves. Device locations and their communication structure will
change over time due to environmental factors or mobility. The nodes will
create a self-configured, multihop distributed network with extensive in situ data filtering capability. They
must operate unattended for long periods.
The sensor-base tier has far fewer and more powerful base-stations to
serve as gateways to longer range networks and provide analysis and storage
services. These devices are embedded PCs with a sizable power storage, network
connectivity providing a bridge between the low-power wireless network and a
conventional LAN or WAN interfaces, and a rich sensor suite. This tier provides
additional sensor modes with a wider range to be focused on areas of interest,
as determined by localized sensor data, as well as providing communication,
programming, storage, and landmark resources to the microsensor tier.
The analysis
and control tier provides storage and data analysis resources, as well as
facilities to interactively program the
lower tiers. Typically, it consists of
powerful arrays of servers and services.
Our starting point is our
recent TinyOS event-driven system [3.1a]. We began this work because no other
OS handled extensive concurrency, bit or bytewise processing, and dynamic
events in just a few kilobytes of space. We use very fine-grained and light
weight multithreading. But the programming problem differs from parallel
programming or distributed systems because sensor networks operate as
aggregates, where information moves from regions of the network to other
regions according to some higher-level transformation, often with real time
requirements, rather than point-to-point streams and file transfers between
named devices. Our proposed nodal communication model provides 5 primitives:
(1) local multicast transmission, (2) event driven reception, (3)
retransmission pruning, (4) aggregation, and (5) buffer management. These
primitives serve as compilation targets
from higher-level descriptions and as a basis for algorithmic analysis. Networking concepts such as directed
diffusion are built upon them.
Traditional Internet layers
and protocols are too heavy-weight, and SIS communication patterns are very
different. Node identity is often unimportant relative to its role in the
physical topology and the ability to precisely name data the node collects
[3.1b]. Since low-power radio distance is limited, any node may have to serve
as a router and the collection must self-organize into a dynamic, ad-hoc
multi-hop network connecting to external tiers. While ad hoc routing algorithms
can be application independent, application specific aspects must be included
to extract the most value from each precious message [3.1c].
3.2 Service Architecture for
Distributed Systems (Faculty: Katz; Joseph)
Our overarching goal
is to developing a deeper understanding of service
level peering (SLP): creating end-to-end services with desirable and
predictable properties, such as performance and reliability, when provisioned
from multiple and independent service providers. Services, such as distribution
and caching of content (and its dual of sensor-based data collection and
aggregation), mediation and adaptation for diverse end devices and access
networks, billing and accounting subsystems, network mechanisms for indexing,
service location, redirection, and naming, etc., are the building blocks from
which complex distributed applications are constructed. Service platforms like
.NET [3.2a] and ONE [3.2b] are monolithic with limited cross-platform
interoperability and no performance guarantees. SLP is essential for rapid SIS
construction, by reducing the time to build services from independently
deployed implementations, e.g., if electricity operators select alternative
stand-alone systems for collecting real-time demand information, SLP allows
these to interoperate under end-to-end constraints, such as sufficient
bandwidth for data collection with limited latency to feed the demand
management algorithms.
Our
service architecture must support the dynamic confederation of collaborating
and competing service providers. Most prior work has focused on a single
provider [3.2c,3.2d,3.2e]. Our Clearinghouse
[3.2f] offers a starting point for a scalable network resource manager
based on reservations, admission, and policing, primarily for performance
sensitive packet voice and video applications, that works across service
providers. While focused on network bandwidth, it can be extended to manage
processing and storage in the wide-area [3.2g,3.2h,3.2i] and its applications
can be generalized to wide-area content distribution and assembly [3.2j]. It
combines hierarchical monitoring and allocation with service provider
peer-to-peer negotiation to achieve a combination of local control and
scalability.
The
primary challenge is to achieve SLP and resource sharing in an environment of
limited trust and cooperation. The elements include: (i) an open service and
resource allocation model, (ii) description of service provider resources,
capabilities, and current status [3.2k], (iii) resource allocation mechanisms
based on economic methods, such as electronic auctions, coupled with real-time
accounting/billing/settlement systems [3.2l] for the resources used, (iv)
mechanisms for managing trust relationships among clients and service
providers, and between service providers, based on trusted third party
monitors, and (v) general services for forming dynamic confederations, such as
discovering potential confederates and managing trust relationships.
We
will construct testbeds at a variety of scales to investigate how the proposed
architecture generalizes: room, building, campus, and regional-scales. At
room-scale, the architecture coordinates bandwidth and limited processing among
collaborating sensors and access points. At the building-scale, the testbed is
extended to investigate resource coordination for bandwidth, processing, and
storage across independent service providers in different regions of the
building. The campus-scale testbed extends the environment in the directions of
greater diversity of network technologies, with overlay service providers
intermixed with departmental service providers within builders. Through some of
our industrial collaborators (Appendix A), we plan to obtain measurements,
experiment with new services and their resource demands, and generally gain
experience of the opportunities and constraints in the wide-area through a
regional-scale testbed.
3.3 Adaptive Data Management and Query Processing
(Faculty: Franklin and Hellerstein)
The data management components of an SIS must quickly evolve and
adapt to radical changes in data availability, systems, and network characteristics,
and scale to large, highly-distributed collections of information. They must also meet the demands of a diverse
user base, and actively assist users in exploring vast quantities of data in a near-real time
manner. This includes managing
information requests from a number of information visualization applications,
as discussed below in §3.4.
Traditional
database systems cannot meet these challenges for several reasons. (1) Traditional database
management systems assume a relatively static collection of information. In a dynamic emergency-response environment,
in which the data arrives in a real-time stream, this approach fails because
there are no reliable statistics about the data and because the arrival rates,
order, and behavior of the data streams are too unpredictable [3.3a,3.3b]. (2) Existing
approaches cannot cope with failures while processing a large query. (3) Existing approaches are optimized to deliver a complete
answer, without intermediate results. When users will interact with an SIS in a fine-grained fashion, such approaches are
unacceptable. Processed data must be
passed on to the user as soon as they are available. Furthermore, because an SIS is interactive, users may choose to
modify their queries based on previously returned information or other
factors. Thus, the system must gracefully
adjust to changes in user needs [3.3c].
The research plan for data
management in SIS addresses these three issues:
Adaptive Data Flow Processing. The
Telegraph project is developing an adaptive dataflow processing engine. Telegraph uses a novel approach to query
execution based on “eddies”, which are dataflow control
structures that route data to query operators on an item-by-item basis
[3.3d]. Telegraph does not use a traditional query plan, but
rather, allows the “plan” to develop and adapt during execution. For queries over continuous data streams, the system continually
adapts to changes in data arrival
rates, data characteristics, and availability of processing, storage, and
communication resources. An initial prototype of Telegraph has been built, but
much work remains. Challenges include:
1) developing cluster based and
wide-area implementations of the processing engine, 2) supporting efficient
continuous queries over streaming data from sensors and web-based sources, and
3) designing fault-tolerance mechanisms
for continuous queries. These will be
designed to support the development of appropriate user interfaces for
manipulating and querying data flows, as described in Section 3.4 below.
Sensor
Query Processing.
Much of the data to be processed in SIS will stream in from low-power
sensors. Techniques for querying and maniuplating these data streams will be
crucial. These techniques must not only
be efficient, but must also tolerate the power limitations and error
characteristics of the sensors. We plan
to extend the data flow query processing architecture with two techniques for sensors:
1) the ``Fjords'' operator architecture, and 2) power-sensitive ``sensor
proxy'' operators. The Fjords
architecture provides the functionality and interfaces to integrate erratic, streaming dataflows
into query plans. It allows streaming
data to be pushed through operators that pull from traditional data sources,
efficiently merging streams and local data as samples flow past. Fjords also allow processing from multiple
queries to share the same data stream, thereby providing huge scalability
improvements. Sensor proxies are
specialized query operators that mediate between sensors and query plans, using
sensors to aid query processing while adapting to their power, processor, and
communications limitations.
Context Aware Data and Event
Dissemination. Due to
the huge volume of data managed by the SIS, such a system must provide special
support for the targeted and timely delivery of relevant data and notifications
to users based on their interests, roles, and context at a particular
time. Such dissemination must be driven
by user profiles, which contain information about user requirements,
priorities, and information needs [3.3e, 3.3f]. We envision a user profile
language that allows the specification of three types of information: 1) Domain specification: a specification of
the kinds of data that are of interest to the user. This description must be declarative in nature, so that it can
encompass newly created data in addition to existing data. The description must also be flexible
enough to express predicates over different types of data and media. 2)Utility specification: because of
limitations on bandwidth, device-local storage, and human attention, only a
small portion of available information can be sent to a user. Thus, the profile must also express the users
preferences in terms of priorities among data items, desired resolutions of
multi-resolution items, consistency requirements, and other properties. 3) Context specification: user context can
be dynamically incorporated into the dissemination process by parameterizing
the user profile with user context information, for example, as used by the
CrossWeaver project described in Section 3.4.
The challenges here involve language development, profile processing
issues, and delivery scheduling. We plan to draw on our earlier work on
large-scale XML document filtering for this purpose [3.3g].
3.3
Adaptive Data Management and Query
Processing (Faculty: Franklin and Hellerstein)
Societal Information Systems present challenges
that cannot be met by existing data management technology. These challenges
stem from their large scale, highly-distributed nature, and the need to
actively assist users in wading through vast quantities of data in a near-real
time manner. A key requirement for data management in SIS is adaptability. That is, the data management components of the SIS infrastructure
must be able to quickly evolve and adapt to radical changes in data
availability and content, systems and network characteristics, and user needs
and context.
Traditional database query
processing systems break down in such environments for a number of reasons:
First, they are based on static approaches
to query optimization and planning. Database systems produce query plans using
simple cost models and statistics about the data to estimate the cost of
running particular plans. In a dynamic dataflow environment, this approach
simply does not work because there are typically no reliable statistics about
the data and because the arrival rates, order, and behavior of the data streams
are too unpredictable [3.3aUFA98] [3.3bHFCD+00].
Second, the existing
approaches cannot adequately cope with failures that arise during the
processing of a query. In current database systems, if the failure of a data
source goes undetected, the query processor simply blocks, waiting for the data
to arrive. If a failure is detected, then a query is simply aborted and
restarted. Neither of these situations is appropriate in an SIS environment in
which sources and streams behave unpredictably, and queries can be extremely
long-running (“continuous”).
Third, existing approaches are
optimized for a batch style of
processing in which the goal is to deliver an entire answer (i.e., they are optimized for the delivery
of the last
result). In an SIS environment, where
users will be interacting with the system in a fine-grained fashion, such
approaches are unacceptable. Processed
data (e.g., query results, event notifications, etc.) must be passed on to the
user as soon as they are available.
Furthermore, because the system is interactive, a user may choose to
modify her queries on the basis of previously returned information or other
factors. Thus, the system must be able
to gracefully adjust to changes in the needs of the users [3.3cHACO+99].
The research topics we plan to
address in data management for SIS are the following:
Adaptive
Data Flow Processing . The Telegraph project at
UC Berkeley is developing an adaptive dataflow processing engine. Telegraph uses a novel approach to query
execution based on “eddies”, which are dataflow control structures that route
data to query operators on an item-by-item basis [3.3dAH00]. Telegraph does not rely upon a traditional
query plan, but rather, allows the ”plan” to develop and adapt during the
execution. For queries over continuous
streams of data, the system can continually adapt to changes in the data
arrival rates, data characteristics, and the availability of processing,
storage, and communication resources. An initial prototype of Telegraph has
been built, but much remains to be done. The challenges to be addressed
include: 1) the development of cluster-based and wide-area implementations of
the processing engine, 2) the design of fault-tolerance mechanisms,
particularly for long-running queries, 3) support for continuous queries over
streaming data from sensors and web-based sources, and 4) the development of
appropriate user interfaces for manipulating data flows.
Sensor Query Processing. Much of the data to be processed in SIS will be continually
streaming in from tiny, low-power sensors. Techniques for querying these sensor
data streams will be crucial. These
techniques must not only be efficient, but must also be tolerant of the power limitations
and error characteristics of the sensors.
We plan to extend the data flow query processing architecture with two
techniques for dealing with sensors: 1) the “Fjords” operator architecture, and
2) power-sensitive “sensor proxy” operators.
The Fjords architecture provides the functionality and interfaces
necessary to integrate erratic, streaming dataflows into query plans. It allows streaming data to be pushed
through operators that pull from traditional data sources, efficiently merging
streams and local data as samples flow past.
Fjords also allow processing from multiple queries to share the same
data stream, thereby providing huge scalability improvements. Sensor proxies are specialized query
operators that serve as mediators between sensors and query plans, using
sensors to facilitate query processing while adapting to their power,
processor, and communications limitations.
Context Aware Data and Event
Dissemination. Due to the huge volume of data
managed by the SIS, such a system must provide special support for the targeted
and timely delivery of relevant data and notifications to users based on their
interests, roles, and context at a particular time. Such dissemination must be driven by user profiles, which contain information
about user requirements, priorities, and information needs [3.3eCFG 00] [3.3fCFZ01]. We
envision a user profile language that allows the specification of three types
of information: 1) Domain
specification: a specification of the kinds of data that are of
interest to the user. This description
must be declarative in nature, so that it can encompass newly created data in
addition to existing data. The description must also be flexible enough to
express predicates over different types of data and media. 2)Utility specification: because of
limitations on bandwidth, device-local storage, and human attention, only a
small portion of available information can be sent to a user. Thus, the profile
must also express the user’s preferences in terms of priorities among data items,
desired resolutions of multi-resolution items, consistency requirements, and
other properties. 3) Context
specification: user context can be dynamically incorporated into
the dissemination process by parameterizing the user profile with user context
information. This context information
may be obtained through on-line observation of users, or from other sources
such as data stored in Personal Information Management (PIM) applications such
as the calendar, contact list, and To Do list. The challenges here involve
language development, profile
processing issues, and delivery scheduling. We plan to draw on our earlier work
on large-scale XML document filtering for this purpose3.4
.
Human
Centered Computing(Target: .5 pages)
(Faculty: Canny, Hearst, Landay,
Saxeniaen)
Information
visualization tools for disaster response should help diverse groups of users
make sense of the situation as it unfolds in real time. Converting a massive,
linked and distributed multi-sensor environment into human-understandable organizations
will require development of fundamentally new human-computer interaction
methods. Visualization will be critical both for helping system developers
understand the placement and use of real-time sensor data, and for emergency
response staff when responding to a disaster situation, but the interfaces for
these two groups are likely to differ radically. The UCD visualization group
has extensive experience in the problems of scalable, hierarchically-organized
information visualization (§3.4.1), and others at UCB have been examining how
to convert non-spatial information into human-understandable knowledge. [3.4a, 3.4b, 3.4c,3.4d,3.4g,3.4h]]Olsen et al.
98, Avnur et al. 98, Hearst 99, Glaser 99, Yee 01].(see http://www.sims.berkeley.edu/courses/is247/f00/projects.html
http://datasplash.cs.berkeley.edu/online/).
Innovative
interfaces will be developed for the emergency response staff in the field and
the public at large, both for monitoring the situation and for understanding how to respond what they
specifically should do in response. The information must be
accessible from many a large
number of different devices with different kinds of network
connectivitiesy,
and weit
cannot be
assumed
that devices available to the public will be of the same quality as those
available to the emergency response staff. User interfaces techniques must be
designed that are sensitive to the size and the bandwidth of the access device,
and so must work across large-wall sized displays, the web and on PDAs.
We
have had
some early experience building wall-sized interfaces to helpsupport the management
of firefighters
on at the scene of a
fire (see [3.4ie]http://ratbert.bmrc.berkeley.edu/courseware/cs169/spring01/projects/firewall). .We will continue this work and
adapt this workit
to other situations, such as earthquakes. Interfaces must also work seamlessly
in different modalities; for example, audio input and output will be necessary
for the visually impaired or for those driving emergency vehicle driverss.
We are developing a design tool called CrossWeaver to help design and build such these types of cross-platform,
multi-modal user interfaces (see [3.4f], 3.4j].http://guir.berkeley.edu/crossweaver).
Interfaces should also respond to their context of use, e.g. -- for example, where the user is locationed and stress or danger what level
of
stress or danger they are under should be determined automatically
and used to modify what is displayed on the interface. We Researchers at UCB are
developing context-aware interface systems for distributed devices [3.4fgHong 01].
We will use CrossWeaver along with this context-aware infrastructure to develop
a variety of interfaces for the emergency response staff as well as the public.
3.4.15 Interactive Visualization of Multisource Data Streams and
Exploration of Multi-source Data Streams in Collaborative Environments Using
Parallel and Distributed Computing (Target: .5 pages) (Faculty:
Hamann; Max, Joy, Ma)
The required data Vvisualizatizingon and exploration technology
for massive
data streams generated by up to millions of sensors requires new techniques monitoring
energy status and consumption in large building complex do not yet exist.
How do we visualize vast amounts of data over long distances where
collaborative and/or time-critical data exploration is essential? How can we
combine and super-impose data streams from generated by sensor
arrays and other sources and
visualize them in a super-imposed fashion? What type of networking
technology and architecture can help facilitate data
collection and interpretation? Can topological approaches, used in
scientific data analysis help "simplifying" massive
sensor data?
The
data sets generated by our
these
types of applications must be reduced and compressed,
and “summary" views provided. To achieve the needed compression, we will
investigate hierarchical networking architectures in support of hierarchical
data representations/formats. We will design hierarchical compression schemes
(multi-resolution/wavelet methods) to support progressive data transmission for
this purpose. Our These are research foci will be areas we
will focus on: real-time multi-resolution
compression/ and decompression
schemes; collaborative data exploration over high-speed networks, real-time
feature extraction of topologically/qualitatively relevant subsets; rendering
and immersive interaction technology for large-scale displays environments (power
walls); and parallel and distributed computing technology for compression, analysis,
and visualization. We will need to merge multiple views of an event, such as
Image-Based Rendering with maps superimposed with damage data.
For this project,
Tthe
UC Davis
Group will build on its experience with the development of innovative techniques
for geometric modeling, hierarchical data approximation and visualization, and
multi-resolution rendering in immersive environments. This gGroup has
published extensively during the past five years; emphasis areas that are
related directly to this ITR proposal include hierarchical representation of
massive data sets, see [3.5aBertram00a],
[3.5bBertram00b],
[Bertram00c],
[3.5cBremer01],
[3.5dGieng98],
[3.5eHamann99a],
[3.5fHeckel99b],
[3.5gKreylos99],
[3.5hSchussman00],
and [3.5iTrotts99];
reconstruction of geometrical information/models, see [3.5jBonnell00], [3.5kGregorski00], [3.5lHamann99b], and [3.5eHeckel99a];
rendering of massive data sets, see [3.5mKreylos00], [3.5nKuester00], and [3.5oLaMar99]; and
topological, qualitative analysis of flow data, see [3.5pScheuermann00].
4.Foundations
4.1
System
Reliability (Target 2-3 pages) (Faculty:
Henzinger, Aiken, Necula, Pister, Sastry, Wagner) (no refs
yet!)
Concerns
over IT system reliability increase with society's reliance on these
systems. From a historical standpoint,
this corresponds to the maturing of new technologies when the search for
additional features is replaced by the need for High Confidence Systems. While functionality, speed, and availability
dominate the headlines about new IT systems, the success of SISs will
ultimately depend on reliability, including safety, predictability, fault
tolerance, and their ability to interact with hard real-time constraints. Hand
in hand with these demands are the needs to understand the vulnerabilities of
SISs to information attack. We expect
SISs to be subjected to either malicious or accidental attack, and cannot
afford to have societal-scale systems be compromised. We believe that there are three central issues that need to be
addressed in order to achieve acceptable reliability in SISs:
Modeling, prediction, and design of
complex systems.
Software quality, and Software quality. ????
The first
"weak link" in current design practice stems from the intrinsic
*complexity* of SISs. While
"complexity" in science usually refers to the understanding of
complex systems that occur in nature (such as weather prediction), we submit
that a different kind of complexity arises in systems that are designed by
humans, and that if properly understood, this complexity can be controlled. The complexity of SISs arises
from the large number of distributed but interacting components, the
heterogeneous nature of components (digital computers as well as analog
devices), the many levels of abstraction used in design (such as physical, system,
protocol, and application layers), the many different aspects of system
performance(such as functionality, timing, fault tolerance), and the many,
often unpredictable ways in which the environment (sensors, users, failures,
attackers) can influence the behavior of the system. Since current design practices are hitting their
limits in the design of more homogeneous complex systems, such as
microprocessors and software (see below), they cannot achieve acceptable
reliability in SISs. We propose
research in two key directions towards managing complexity by design: Modeling
and analysis of networked hybrid and embedded systems, and Multi-aspect
interfaces for component-based design.
Software quality.
The second
weak link in current design practice concerns the lack of quality control in
the development of large, concurrent software systems. As every SIS has significant
software components that interact with each other as well as with sensors and
actuators in many complex (see above) ways, software quality is an area of
particular vulnerability for SISs. We propose
research in Combining static and dynamic software analyses for improving
software quality.
Information Assurance for SISs.
While we
have all been sensitized to the possible damage that can be wrought by denial
of service, viral and other attacks on networks, we feel that SISs need to be
even more resistant to attack. For sensor
networks this translates into the need for understanding the vulnerabilities of
the information gathering to appropriation of rogue nodes, attempts at
deliberate mis-information and other modalities of attack. We propose a program of research on
information assurance for SISs: in section 4.1.4.
4.1.1 Modeling and analysis of networked
hybrid and embedded systems
The first "weak
link" in current design practice stems from the intrinsic *complexity* of
SISs. The complexity of SISs arises from the large number
of distributed but interacting components, the heterogeneous nature of
components (digital computers as well as analog devices), the many levels of
abstraction used in design (such as physical, system, protocol, and application
layers), the many different aspects of system performance(such as
functionality, timing, fault tolerance), and the many, often unpredictable ways
in which the environment (sensors, users, failures, attackers) can influence
the behavior of the system. Both target
applications of CITRIS involve complex digital systems (computers and networks)
interacting with the physical world through distributed sensors and actuators. Such a hybrid systems hierarchically layer
the characteristics of discrete and continuous models of computation. While
theories and tools for modeling and analyzing hybrid systems have emerged over
the past few years in control applications,
this research has focused mostly on developing algorithms (and
impossibility results) for solving simple mixed discrete-continuous control
problems. SISs are hybrid
systems of a complexity that is certainly not open to precise algorithmic analysis. The focus must therefore shift to hybrid
modeling techniques for capturing composition, hierarchy, and heterogeneity in
a mixed discrete-continuous setting, and to approximate and stochastic
techniques for system analysis and simulation (see for example [4.1aHenzinger-Sastry98]
and [4.1h, 4.1n,4.1bTLS00]).
While
in classical hybrid systems theory, a single or small number of plants is
modeled using differential equations, and a single or small number of
controllers is modeled using state machines, such "hybrid automata" [4.1d, 4.1v] models are inadequate
for networked embedded systems with a large number of sensor, processor, and
actuator nodes. First, the appropriate
model for a large number of nodes is continuous, not a discrete composition of individual
discrete components, in the same way in which fluid dynamics and population
dynamics are best studied abstractly as continuous processes [4.1y], not as
collections of individual molecules or creatures. Second, for large networks, unpredictable and faulty behaviors of
individual nodes need to be modeled using global stochastic assumptions. This is a paradigm shift from concrete
discrete behavior, which is too complex to be analyzed, to
abstract continuous behavior, for which we will develop simulation and analysis
techniques. .At the same time, new
discrete phenomena emerge on the abstract level, in the form of mode switches
or phase transitions. For example,
a sensor network may tolerate a certain number of faults without compromising
its performance, but degrade quickly if that number is exceeded. This new view of modeling
hybrid systems is accompanied by a paradigm shift from model construction
(given the individual components and topology) to model extraction from
simulation data, together with a paradigm shift from model verification (given
a requirements specification) to model prediction (forecasting). In particular, active run-time monitoring
and forecasting can be used for dynamically reconfiguring and optimizing the
network.
Another
area of special interest concerns the development of micro-protocols for the
kind of real-time networks of embedded systems involved in SISs, for
distribution services like synchronization, replication, consensus, leader
election, etc. The classical solutions
from distributed algorithms, as well as best-effort networking protocols, are
no longer appropriate in a setting where individual misbehavior, such as
individual sensor failure or package delay, is a common occurrence of low cost,
but the cost of system wide
misbehavior, such as global breakdown or global reaction delay is high. This suggests the design of group
communication protocols that may tolerate erratic micro-behavior in order to
optimize macro-behavior and avoid undesirable global phase transitions.
4.1.2 Multi-aspect interfaces for
component-based design
Existing
formal design methodologies are either optimistic or pessimistic. The
optimistic approach advocates strictly top-down, stepwise refinement design,
with the design team in full control of the complete design. It does not allow for some parts or aspects
of the design to be unknown, unpredictable, or evolving. The pessimistic approach is strictly
bottom-up, component-based design, where some components may be pre-existing,
and the design of each component must consider an environment that behaves in
arbitrary, possibly adversarial way.
The
centerpiece of our approach [4.1cHQR00] is the
development of component interfaces that are much more expressive than
traditional interfaces used in software or hardware designs. First, the interfaces we envision must specify both the
component does and what it expects the environment to do.not only
specify, on some abstract level, what a component does, but also what the
component expects the environment to do. Such "assume-guarantee interfaces"
allow the designer of a component to adopt an optimistic view about some
aspects of the other components, as if those aspects were under the designer's
control, and at the same time adopt a pessimistic view about other aspects of
the other components and the environment, which may be unknown at design time
or unpredictable. Second, the
interfaces we envision not only specify aspects that are traditionally
specified in interfaces, such as the number and types of the arguments of a
procedure, but permit the specification of wide variety of different aspects[4.1l]. There has been considerable work on functional
interface languages, little on timing and security, and virtually none on other
system aspects such as resource management, performance, and reliability. This lack of multi-aspect interface
formalisms has forced designers to address timing, security, performance, and
reliability issues at all levels of the implementation in order to attain the
desired properties for the global system.
We
propose to develop for SISs a theory of composition for multi-aspect interfaces [4.1g], and to which expose
resource properties, such as real-time assumptions and guarantees. Based on such a theory, we will develop
algorithms and tools for checking the consistency and compatibility of
multi-aspect interfaces[4.1o]. Multi-aspect interfaces benefit also the
validation, portability, and evolvability of a system. The validation task can be decomposed into
two largely independent phases [4.1e]: the validation that each component
satisfies its interface, and the validation that the overall system
requirements are met, given the component interfaces.
For the
latter phase, we can use the interfaces to construct simulation models that
exhibit worst-case component behavior, and validate the system with respect to
such simulation models.
Interfaces that Expose Real-time Behavior. Traditional API component specifications are
usually based on an informal, English-based description of the functionality,
the only formal information being input and output type information for
function calls.
This
situation is radically different for real-time systems, where the quantitative
differences of the underlying architectures (in terms of speed, memory,
response times) play an essential role in determining the viability of the
whole design, and are not masked by programming abstractions. The quantitative timing aspects of the behavior of components,
however, are captured only in minimal part by the current informal approach to
component specification. The real-time component of their behavior is either
specified generically in separate documents, or it has to be inferred from a
detailed analysis of the architecture.
By contrast, multi-aspect interfaces will permit the specification of
timing assumptions and guarantees in an abstract, platform-independent way [4.1f]. An assume-guarantee interface specifies that the
component guarantees certain behavior, under the assumption that the
environment behaves correctly. To support the construction of systems derived from
composing multi-aspect interfaces, we will develop techniques for the assume-guarantee
compositional reasoning about aspects that include timing, resource, and
performance properties [4.1m].
Interfaces that Expose Probabilistic
Behavior.
Multi-aspect interfaces will be able to capture not only deterministic
guarantees, but also probabilistic properties connected to performance and
reliability, such as the probability of meeting deadlines [4.1k]. In fact, many timeliness properties of
real-time systems can be studied only in a probabilistic setting. We will develop assume-guarantee techniques
for reasoning compositionally about probabilistic real-time interfaces. In addition, we will develop algorithms for
checking the compatibility of such interfaces. The focus on the interface
level, without regard to implementation details, will ensure compositionality
and a degree of abstraction that makes the application of formal tools feasible [4.1x, 4.1z].
4.1.3 Software Quality: Combining static and
dynamic software analysis
Our goal is
to invent a new class of techniques and tools for finding and removing defects
in complex software systems. With
very few exceptions, the current tools available to software developers can be
classified as either exclusively static (the analysis is done by reasoning
about the program text without running the program [4.1s, 4.1t, 4.1u]) or exclusively dynamic
(the analysis is done by executing the program). We believe there is a class of useful tools that combine static
and dynamic approaches and that research in this direction is likely to be
productive and to require new, basic techniques.
. For example,
type checking (a static analysis) excels at reliably detecting certain classes
of bugs without the need to execute the program. Software testing (executing a program on sample
inputs---a dynamic analysis) is the mainstay of quality assurance departments
in industry. Both
approaches have inherent limitations. By their
nature, static analysis tools can prove useful, but limited properties of all
program executions. Dynamic analysis
tools can prove very precise properties, but only of single executions. We envision a better world, made possible
viaby
a tight coupling of static and dynamic analysis techniques. In this world, static analysis techniques
allow the construction of "active" testing infrastructures that use
information derived from static analysis of the program to automatically
produce customized test harnesses and tests targeted at particular semantic
properties. In addition, the
infrastructure provides a framework for the addition of other static or dynamic
analyses, such as residual analysis. Such mixed
dynamic/static analysis tools are effective because the two approaches are
naturally complementary and in fact mutually reinforcing in well-designed
applications
Statically Assisted Testing. This is an example of a dynamic-then-static
analysis. Using static analysis
techniques to infer needed information from the program source, it should be
possible to automate much of the process of constructing and maintaining a test
infrastructure. Given an initial test suite with some coverage, how much can
coverage be improved by purely static techniques? By a combination of instrumented tests and static analysis, it
should be possible to perturb given tests to improve coverage. Dually, given a set of tests, how orthogonal
are they, and can
we find that subset without a brute force solution that examines all possible
subsets? Finally, given a program, a test suite, and a change to the program,
use dependency analysis (a static analysis) to eliminate tests that do not need
to be rerun because their result could not be affected by the change.
Residual Analysis. This is an example of a static-then-dynamic
analysis. Static analysis is useful for proving conservative
bounds on a program property. The idea of emitting residual code to cover cases at run-time
that cannot be dealt with statically is well-understood from the fields of
partial evaluation and soft (or dynamic) typing [4.1p,4.1q, 4.1r]. The next step is to use the residual code to drive testing: the
inserted tests show where testing effort should be focused, and the information
computed by the static analysis suggests a range of test cases to try. By replacing memory safety in this
discussion with any other desired safety property, we see that residual
analysis is one general recipe for a class of static-then-dynamic analyses.
4.1.4 Information Assurance for SISs
Information
assurance includes for SIS includes both
lightweight authentication and scalable key distribution techniques (see which will be discussed in § 4.3). Here we discuss
information processing for possibly compromised SISs. We will study the use of
traditional fault-tolerant networking techniques such as replication and
partitioning of network services, redundancy of network resources and
survivable network overlays (including replica creation and management). In the area of self healing of networks, we
will use bring to
bear techniques from statistical signal processing in two
different ways: when a rogue node starts broadcasting information that is
widely deviant from hypotheses that are determined to be true either on the
basis of past data or from a number of other (possibly uncorrupted) nodes [4.1z], we will use
decision networks to treat the rogue node information as an outlier and thereby
discard it and at the same time propagate the hypothesis up the hierarchy of
the SIS. In the event of a large scale
attack on a group of nodes, we will explore the use of game-theoretic methods
(against an intelligent adversary) to isolate the group of nodes that are under
attack and propagate alarms up the SIS hierarchy about the need for intervention.
4.2
System
Availability (Target: 2-3 pages) (Faculty:
Patterson, Yelick)
High availability of all
levels of an SIS is a prerequisite to wide-scale acceptance, but the techniques
used to achieve high availability differ across the system. Within sensor networks, the hardware
components are unreliable, and there are few extra resources available for
replication – availability comes from inherent redundancy in the collected data
and the algorithms that use it. Within
a cluster, the individual hardware components are more reliable, but at very
large scales component failures are still an issue and particular data values
may be essential, so explicit measures are needed to ensure availability.
The two major components of availability are the
failure rate and the repair time.
Availability may be improved by either reducing the failure rate or by
improving repair time. Failures may be
due to hardware, software, or human errors.
Better design and software technology described in the previous section
will reduce software errors, but it will not eliminate them. Conventional techniques ofat fault
tolerance address the failure rate of systems, primarily through the use of
redundant hardware and data. While we plan to employ these techniques within an
SIS cluster, we propose to investigate three new areas in high availability
systems: Repair-Centric Ddesign,
Availability Mmodeling,
and Performance Ffault
Aadaptation..
4.2.1
Repair-Centric Design
An important factor in the
availability if real systems human-induced system failures. Data from
the late 1970s reveals that operator error accounted for 50-70% of failures in
electronic systems, 20-53% of missile system failures, and 60-70% of aircraft
failures [4.2e1].
Data from Tandem [4.2g3],
VAX [4.2l9],
the telephone switching system [4.2j7], and Oracle [4.2k8] all place the
fraction of system failures due to humans between 40% and 50% of all failures.
Our approach to this problem is called repair-centric design, which assumes that hardware, software, and
human failures are certain, and provides rapid and effective
mechanisms for detecting and recovering from them. These mechanisms should be designed to make as few assumptions
about failure characteristics as possible, and they should provide means to
recover from unanticipated catastrophic failures that make it past any standard
fault-tolerance lines of defense. Furthermore, a repair-centric system design
has to go beyond simply providing recovery mechanisms. To truly have a
repair-centric design, recovery mechanisms have to be treated as first-class
parts of the system, and integrated into a framework that manages their use and
guarantees their effectiveness.
Finally, rather than treating the human operator as only the last line of
defense in a systems whose other recovery mechanism have failed, a
repair-centric system will design-in features to aid the human operator.
A full discussion of repair-centric system design
is outside the scope of this proposal, but we We identify a few
important techniques for
repair centric system design here. First, a repair-centric system
inherently requires redundancy of hardware and data in the form of clustered
hardware with replicated state. The system design must be partitionable to
support fault containment and to provide the means of safely
exercise ofing
repair mechanisms; again, physically partitioned designs
such as clustered organizations seem appropriate. To achieve the goal of quickly
detecting
failures, repair-centric systems should be built to incorporate
extensive self-testing and checking at the component and system-wide level. As
part of this detection, a repair-centric system should strive to expose and
repair latent errors in the system before they are activated; the kinds of
“normal accidents” analyzed by Perrow [4.2a5] often occur
only when many latent errors have accumulated in the system and are all
activated simultaneously in a chain-reaction cascade of failures.
.
To ensure that the
repair mechanisms are trustworthy, recovery
code will be periodically tested in situ
as part of normal system operation, allowing automated recovery mechanisms be
exercised and verified in the production environment. When repair requires
human intervention, those mechanisms will be exercised as well: the human
operators should be subjected to realistic “fire-drill” simulations of
failures and repair, allowing them to become familiarized with the system’s
failure modes, maintenance interfaces, and recovery procedures, all in the
realistic context of the production environment. Such realistic, on-the-job
operator training helps human operators calibrate their mental models of the
system and allows them to make mistakes and learn from them, an essential part
of gaining familiarity and confidence with system repair tasks. The last key guarantee
for a repair-centric system is that it must tolerate further errors and
failures during recovery, repair and maintenance. In the large-scale systems
that are being built today, the statistical probability of double failures is
becoming non-negligible. Furthermore, with human operators involved in
recovery and repair procedures, human-induced failures during these procedures
are inevitable. A common error in
recovering from a disk failure in a RAID system, for example, is replacing the wrong disk. We propose to provide a set of undo primitives, from
a single point undo to handle human errors in replacing system components,
through a global mechanism that allows for the rollback and selective replay of
a set of software upgrades and system configuration changes.
4.2.2 Availability Modeling
There are several problems with the current models used to measure availability when applied to SISs. First, main of the models used a binary value for availability, in which a systems is either up or down. In practice, and SIS may never be entirely up or entirely down so a more continuous model is needed which takes into account both the observed performance of the systems and the quality of its results. Just as a search engine may be either slow or incomplete, so to may an SIS make decisions of varying quality and cost, depending on which components of the system are available. We propose research on several aspects of availability models for SISs.
To achieve success we need to measure it: the factor of 10,000 in improvement in hardware performance over the last two decades is due in part to widely accepted benchmarks to evaluate results.
Availability
benchmarks
involve the use of fault injection to create failures and bring the system into
states where maintenance is required. Accurate fault injection requires two
things: a fault model that is capable of inducing a set of failures
representative of what is seen in the real world, and a harness to inject those
faults. In our previous work, we have defined fault models for storage systems
based on disk failures [4.2b11],
but we will need a much broader fault model to capture the behavior of clusters
within SISs. We will use commercial failure data from existing cluster-based
servers when it is available, combined with synthetic workloads to study
particular fault patterns as well as randomized behavior.
Benchmarking availability will be much harder than benchmarking performance, especially for those aspects that involve measuring behavior of human subjects. There are many research areas of academia — including human centered systems — based on measuring human subjects. We will collaborate with experts in those areas to measure people and systems as maintenance events are inserted
The benchmarks will tell has what
behavior occurs, but not necessarily why.
High availability systems should provide assistance
in diagnosing the root cause of problems afteronce they have been
detectioned.
Because of the complexity of SISs, the component interdependencies between
components may not be unknown, and will therefore be inferred by
injecting realistic test inputs and checking the resulting outputs for both correctness
and performance. To aid in diagnosis, repair-systems should automatically track
the health of all components, and use techniques such as dependency analysis to
automatically pinpoint the root-cause of detected problems [4.2c10].
4.2.3 Performance Fault Adaptation
Nearly all extant reliable or fault-tolerant system designs attempt to
mask faults to the greatest extent possible; the goal is to provide the
illusion of perfectly-functioning hardware or software to higher layers of the
system. Were it possible to completely mask faults, this would be a justified
approach, but in practice, while many faults can be masked from a functionality
point of view, they often result in a kind of
performance fault. For example, a system that mirrors
persistent state on two disks, but puts the secondary copy on a disk that holds
the primary copy of another data set will suffer a performance fault if a disk
fails so that one disks must server twice as much data [4.2d12]. While fault masking is one important source
of performance faults, they may also arise from come from many other factors, such as network
congestion, load spikes, or disk fragmentation. Performance faults are surprisingly common even on dedicated,
homogeneous clusters, especially as the systems scale to large numbers of
components. Performance faults are
easily handled in clusters that are processing many small independent tasks in
parallel, such as a web servers or transaction processing system. However, for decision support problems, such
as predicting the effects of an earthquake on a particular building, the entire
system may run at the speed of the slowest component. We propose to use dynamic load balancing techniques to address
performance faults. We will investigate
two techniques for detecting performance faults, the first being explicit
notification of faults to higher level software from a lower level
fault-masking system. The second is
implicit inference of performance faults based on measurement progress of operations as they execute.
In summary, ourthe
goals of
our availability work are to 1) Develop principles of
repair-centric design, where errors occur due to hardware, software, and
people; 2) Chataracterize failures by hardware,
software, and people to develop a failure workload; 3) Develop availability
benchmarks to measure systems; 4) Demonstrate the benchmarking principles by
running availbility benchmarks on a SIS designed according to those principles,
and contrast its behavior to traditional systems; 5) Develop models to identify
the cause of an observed failure; 6) Develop algorithms to detect and adapt to
load imbalance due to performance faults.
4.3
Security
and Policy (Target: 1 page) (Faculty: Tygar,
Wagner, Samuelson) (no refs yet!)
A
central theme throughout this proposal is the use of widespread sensors to
collect and deliver information and of distributed systems to respond and act
upon the information presented. This presents
a number of important security challenges:
(1) We need to be able to authenticate and
secure messages sent from, to, and among the sensors. It is unacceptable if a hostile party is able to trigger a major
alert for the disaster response application, for example. While cryptography can solve many of these
problems, sensors provide a particular difficult technical challenge is
increased because sensors will typically have minimal computational abilities. We have developed a family of lightweight broadcast/multicast
stream authentication and signatures algorithms, TESLA and EMSS [4.3a, 4.3bCITATIONS 1.1]
that we have implemented on Berkeley's experimental SmartDust [4.3cCITATIONS 1.2]
platform. This provides for security on
an 8-bit device with only 8KBytes of ROM and 512 bytes of RAM. We are also exploring access control through
the ELK key distribution protocol [4.3dCITATION 1.3]. In this work, we will adapt and build
security protocols for sensor class devices. In particular, we will work on the
problem of continual re-authentication devices so as to keep them from being
subverted.
(2) The use of sensors raises significant
privacy questions. How can we collect
data and provide maximum assurance against that it will not be misused? In many cases, aggregate information only
can be provided. We will explore both
technical and policy aspects of this question [4.3e, 4.3f, 4.3g, 4.3n, 4.3o, 4.3p]CITATIONS 2.1, 2.2].
(3) Large-scale monitoring systems will need
to aggregate data and distribute computation across platforms controlled by
participants with diverse interests. Current approaches to security, based on
perimeter security, are brittle and scale poorly: When any intruder who can
bypass the firewall gains full access to the system, a single intrusion can
defeat the entire system. We will seek lightweight techniques to ensure that
SISs degrade gracefully even in the presence of a small number of malicious
parties or intrusions. We will study two approaches to improving robustness.
First, we will study algorithms and distributed data structures that are
resilient even in the presence of a small fraction of maliciously chosen inputs
or untrustworthy protocol participants, and we will examine techniques such as
random sampling, averaging, and replication for this purpose. Second, we will
study programming disciplines for reducing the risk of vulnerability
in security-critical source code, and we will develop static and runtime tools
for identifying violations of these
"good security hygiene" guidelines. [4.3h,4.3i,4.3j,4.3k,4.3l, 4.3mCITATION 3].
Finally information processing techniques to handle “outlier quality”
information is discussed in § 4.1.4 above.
The CITRIS effort will
require a new generation of algorithmic ideas and techniques, in three rough
categories: (1) Algorithms related to
the applications, including visualization, supported by the proposed SISs; (2)
general algorithmic problems involved in the design of the SIS architecture;
and (3) algorithmic problems involved in the operation of the specific SISs
proposed. A strength of the investigator team is a strong interest in basic
algorithmic methods for the analysis of complex systems: In this section we
briefly expand on algorithms for items (2) and (3). We emphasize that algorithms
for all the items will also be developed integrally as part of the proposed
research in §3 and §4.1-4.3 as well.
In the area of heterogeneous networking, we have embarked on a foundational algorithmic study of the optimization problems related to congestion control and network design in the context of the Internet [see REF1]. The ab initio design of the SISs in CITRIS will be a valuable test bed for the ideas that have emerged from that work, and an opportunity for adapting them to novel environments. The SISs to be built by CITRIS will resemble the Internet in rough scale, but will differ dramatically from it in their socio-economic nature (built and operated by entities of varying degrees of cooperation and trust, but not predominantly competitive), and in their data and traffic profiles (steady streams, very infrequent bursts, mostly non-time-critical data, deep priority hierarchies). The protocols developed for these SISs, as well as their interconnection technologies and topologies, will probably not resemble Internet protocols or technologies/topology at levels below the very highest level. Of specific interest is the development of new light weight protocols for SISs and their optimized design. The design of the SIS network architecture will influence deeply (and will be based on) network operation characteristics. There will be data compression (both lossless and lossy) at every level of the network (communication protocols at the sensor level exploiting data correlations, fundamental tradeoffs to be made between computing and communicating (with a bank balance of total energy and peak power consumption) will need to be made in the nJ/ bit for transmittal or for localized algorithms, tradeoffs of latency versus energy and power consumption will need to be made online for the networks depending on the urgency of the situation being monitored and communicated, application-dependent data combining and data mining at the server level, further combining, mining, and prioritizing at higher network levels), together with background traffic of raw data for archiving whose levels of priority reflect potential criticality. These performance issues will complement concerns of trust, security, privacy, and dependability in a genre of novel algorithmic problems of unprecedented scope and scale, combining for the first time three basic aspects: communication, analysis/processing, and storage/ protection of data.
5
In addition to an ambitious
program of curriculum develeopment at UCB and UCD Berkeley and Davis,
our main outreach partner is to UCM Merced (see the attached letter from
Provost Designate David Ashley in Appendix B). UC Merced will be the first
new American research university built in the twenty-first century in California’s
great agricultural heartland. While the new campus will draw students from
all over California, it has a special mission to expand participation of
underrepresented students, particularly Hispanic, first generation
college-going, low income and rural students from the San Joaquin Valley. These students are not well represented in
technology–oriented science and engineering . UCM Merced plans to open for instruction in Fall 2004
with 100 faculty, half in science and engineering fields. Our partnership will help contribute to UCM Merced’s ability to recruit
outstanding faculty working at the cutting edge of engineering and IT information technology.
Some faculty recruitment targets
of
recruitment will be faculty who can contribute directly
to the work in SISs and would hold periodic residences at UBerkeleyCB and UCD. Davis. These faculty in turn will be able to
recruit outstanding graduate students on whom UC Merced’s excellence in
graduate education will be based. Since In addition,
because faculty recruitment is will be phased
over the next three years, UCM Merced will be able to contribute
to research beginning in Fall 2002. The area
of Eenergy efficiency,
has special importance to UUC Merced CM as a new
university. As part of a region
characterized by extremes of 100°+ heat and near-freezing
temperatures, UCM Merced has
the opportunity to be a model for an environmentally effective design in all aspects
of its building and campus operations program. Thus, beginning with the Spring 2002
groundbreaking, UCM
Merced
will serve as a test bed for research applications in SIS for
energy efficiency. Making the building
of the campus a target of research will be UCM’s UC Merced’s unique
contribution to this proposal.
Another critical element of
the partnership is development of undergraduate education at UCM Merced. UCM Merced faculty
will collaborate with UCB
Berkeley
and UCDavis
on developing lower division preparation courses in a technology-based format
for remote delivery. In addition, this
spring, UCM Merced will
begin its outreach to Valley Community College students through publication of
curricular pathways that will prepare students to transfer to UCM Merced’s science
and engineering programs. Ultimately,
these courses will support undergraduate education of all UCM Merced students,
whether they begin their education on campus or prepare for UCM Merced through a
Community College articulation program
References
[1a] CITRIS – Center for
Information Technology Research in the Interest of Society, http://www.citris.berkeley.edu, 2001
[1b] BSAC – Berkeley Sensor and Actuator
Center, http://www-bsac.eecs.berkeley.edu,
2001
[2.1a] J. Rabaey, E. Arens, C. Federspiel, A.
Gadgil, D. Messerschmidt, W. Nazaroff, K. Pister, S. Oren, P. Varaiya, “Smart
Energy Distribution and Consumption ─ Information Technology as an
Enabling Force”, http://www.cs.berkeley.edu/~demmel/ITR_CITRIS_Refs/SmartEnergy.html, 2001
[2.1b] Interlaboratory Working Group 2000,
“Scenarios for a Clean Energy Future”, Oak Ridge NL (Technical Report
ORNL/CON-476) and Lawrence Berkeley NL (Technical Report LBNL-44029), November
2000, Chapter 4
[2.2a] Board on Natural Disasters, “Reducing
Disaster Losses Through Better Information”, National Research Council, 1999,
72 pages, http://books.nap.edu/catalog/6363.html
[2.2b] Newman, M.W. and J.A. Landay. Sitemaps,
Storyboards, and Specifications: A Sketch of Web Site Design Practice as
Manifested Through Artifacts. In Proceedings of ACM Conference on Designing Interactive Systems. New York City. pp.
263-274, August 2000.
[2.2c] Elliott, A. and Hearst, M. How Large Should
a Digital Desk Be? Qualitative Results of a Comparative Study in the
Proceedings of CHI'00, Conference Companion, The Hague, Netherlands, 2000.
[2.2d] Heaton, T. (1996). “ The TriNet Project,”
Proceedings, Eleventh World Conference on Earthquake Engineering, Elsevier
Science Ltd.,Paper No. 2136
[2.2e] TriNet (2001). “TriNet: Seismic System for
Southern California,” http://www.trinet.org/.
[2.2f] Buika, J. et al. (1998). “Advances in Scientific and Engineering Post-Earthquake Operational Response and Disaster Intelligence,” Proceedings, Sixth U.S. National Conference on Earthquake Engineering.
[2.2g] Scrivner, C., Worden, C.B. Wald, D.J. (2000). “Use of TriNet ShakeMap to Manage Earthquake risk,” Proceedings, Sixth International Conference on Seismic Zonation: Managing Earthquake Risk in the 21st Century, EERI.
[2.2h]
S.Sandeep Pradhan and Kannan Ramchandran, Distributed source coding using
syndromes (DISCUS): Design and construction, Proc. IEEE Data Compression
Conference (DCC), 1999. http://basics.eecs.berkeley.edu/~kannanr/research/discus.html
[2.2i] McConnell, K.G. (1995) Vibration Testing: theory and practice, Wiley, p. 606.
[2.2j] Farrar, C.R., Doebling, S.W., Nix, D.A., (2001) Vibration-Based
Structural Damage Identification, Philosophical Transactions of the Royal
Society: Mathematical, Physical & Engineering Sciences, 359(1778), pp.
131 – 149
[2.2k] Farrar, C.R. and
Doebling, S.W., (1997) Lessons Learned from Applications of Vibration-Based
Damage Identification Methods to Large Bridge Structures, Proc. of the International Workshop on Structural Health Monitoring,
Stanford, CA, Sept 1997, pp. 351-370.
[2.2l] Beck, J.L. (1978). Determining Models of Structures from
Earthquake Records. Earthquake Engineering Research Laboratory 78-01.
California Institute of Technology.
[2.2m] Safak, E. (1997).
Propagation of Seismic Waves in Tall Buildings. Tall Buildings for the 21st
Century (Proceedings of the 4th Conference on Tall Buildings in Seismic
Regions), 129-154.
[2.2n] Udwadia, F. E.
(1985). Some Uniqueness Results Related to Soil and Building Structural
Identification, SIAM J. Applied Math.,
45(4), p. 674.
[2.2o] Werner, S.D., Crouse,
C.B., Katafygiotis, L.S., and Beck, J.L. (1994) Use of strong motion records
for model evaluation and seismic analysis of a bridge structure, Proceedings of the Fifth U.S. National
Conference on Earthquake Engineering, 1, 511-520.
[2.2p] Stewart, J.P, Fenves,
G.L. (1998) “System Identification for Evaluating Soil-Structure Interaction
Effects in Buildings from Strong Motion Recordings”, Earthquake Engineering and Structural Dynamics, 27(8), pp. 869-885.
[2.2q] Arici, Y. and K. M.
Mosalam, (2000) System Identification and Modeling of Bridge Systems for
Assessing Current Design Procedures, Proceedings
of SMIP2000 Seminar, Sept. 14, Sacramento, CA
[2.2r] Baise, L.G., and
Glaser, S.D. (2000), Repeatability of Site Response Estimates Made Using System
Identification, Bulletin of the
Seismological Society of America, 90(4), pp. 993-1009.
[2.2s] Glaser, S.D., and
Baise, L.G. (2000), System Identification Estimation of Damping and Modal
Frequencies at the Lotung Site, Soil
Dynamics and Earthquake Engineering, 19(6), pp. 521-531.
[2.2t] Lin, J.-S. and Zhang,
Y. (1994). Nonlinear structural identification using extended Kalman filter. Computers and Structures, 52(4), p.757.
[2.2u] Koh, C. G.; See, L.
M, "Identification and uncertainty estimation of structural
parameters," Journal of Engineering Mechanics, 120, 6, June 1994, pp.
1219-1236
[2.2v] Beck, J.L., and
Katafygiotis, L.S. (1998). Updating
Models and Their Uncertainties. I: Baysian Statistical Framework, Journal of Engineering Mechanics, 124(4),
p. 455.
[2.2w] Smyth, A.W., Masri,
S.F., Chassiakos, A.G., and Caughey, T.K. (1999). On-Line Parameter Identification of MDOF Nonlinear Hysteretic
Systems, Journal of Engineering Mechanics,
125(2), p. 133.
[2.2x] Lus, H.; Betti, R.;
Longman, R. W. "Identification of linear structural systems using
earthquake-induced vibration data," Earthquake Engineering &
Structural Dynamics, 28, 11, Nov. 1999, pp. 1449-1467.
[2.2y] Hjelmstad, K. D.;
Banan, M. R.; Banan, M. R. “On Building Finite Element Models of Structures
from Modal Response,” Earthquake
Engineering & Structural Dynamics, 24(1), pp. 53-67.
[2.2z] DesRoches, R.,
Fenves, G.L. (1997). “Evaluation of Recorded Earthquake Response of a Curved
Highway Bridge”, Earthquake Spectra,
13(3), pp. 363-386.
[2.2aa] Sohn, H., Law, K.H.
(1997). “Bayesian Probabilistic Approach for Structure Damage Detection,” Earthquake Engineering & Structural
Dynamics, 26(12), pp. 1259-1281.
[2.2bb] Archer, G.C.,
Fenves, G.L., Thewalt, C. (1999).“A New Object-Oriented Finite Element Analysis
Program Architecture”, Computers &
Structures, 70(1), pp. 63-75.
[2.2cc] McKenna, F., Fenves,
G.L. (2000). “An Object-Oriented Software Design for Parallel Structural
Analysis”, Advanced Technology in
Structural Engineerings, Structures Congress 2000, ASCE.
[3.1a] J. Hill, R. Szewczyk, A. Woo, D. Culler, S.
Hollar, K. Pister, System Architecture
Directions for Networked Sensors, 9th International Conference on
Architectural Support for Programming Languages and Operating Systems, Nov.
2000, pp. 93-104
[3.1b] Chalermek Intanagonwiwat, Ramesh Govindan
and Deborah Estrin. Directed Diffusion: A
Scalable and Robust Communication Paradigm for Sensor Networks, ACM MobiCom
2000, August 00, Boston, MA.
[3.1c] Embedding
the Internet, Special Issue of CACM, May 2000
[3.1d]
Hellerstein et al. Interactive Data Analysis with CONTROL. IEEE Computer,
August 1999
[3.2a] Microsoft Corporation, .Net Home Page, http://www.microsoft.com/net/default.asp.
[3.2b] Sun Corporation, Java Home Page, http://www.java.sun.com/.
[3.2c] R. Braden, L. Zhang, S.
Berson, S. Herzog and S. Jamin, “ReSerVation Protocol (RSVP) Version 1
Functional Specification,” Internet RFC 2205, IETF Network Working Group,
September 1997. http://www.merit.edu/~ipma/tools/lookingglass.html.
[3.2d] N. Duffeld, P. Goyal, A. Greenberg, P. Mishra, K. K.
Ramakrishnan, J. E. Van der Merwe, “A Flexible Model for Resource Management in
Virtual Private Networks," Proc. of ACM Sigcomm, pp. 95-108, (September
1999).
[3.2e]
D. Verma, Supporting Service Level Agreements in IP
Networks, Macmillan Publishing Company, New York, 1999.
[3.2f] C. Chuah, L.
Subramanian, A. D. Joseph, R. H. Katz, “QoS Provisioning Using A Clearing House
Architecture,” 8th International Workshop on Quality of Service
(IWQOS 2000), Pittsburgh, PA, (June 2000).
[3.2g] S. D. Gribble, M. Welsh, R. von Behren, E. A.
Brewer, D. Culler, N. Borisov, S. Czerwinski, R. Gummadi, J. Hill, A. Joseph,
R. H. Katz, Z. M. Mao, S. Ross, B. Zhao, “The Ninja Architecture for Robust
Internet-Scale Systems and Services,” Journal
of Computer Networks, Special Issue on Pervasive Computing, to appear.
[3.2h] Z. Mao, W. So, R. H.
Katz, “Network Support for Mobile Multimedia Using a Self-Adaptive Distributed
Proxy,” ACM NOSSDAV 2001, New York, (June 2001).
[3.2i] J.
Kubiatowicz, D. Bindel, Y. Chen, S. Czerwinski, P. Eaton, D. Geels, R. Gummadi,
S. Rhea, H. Weatherspoon, W. Weimer, C. Wells, B. Zhao, “OceanStore: An
Architecture for Global-Scale Persistent Storage,” Proceedings of the Ninth
international Conference on Architectural Support for Programming Languages and
Operating Systems (ASPLOS 2000), November 2000..
[3.2j] S. Zhuang, B. Zhao, A. Joseph, R. H. Katz, J. Kubiatowicz, “Bayeux: An Architecture for Wide-Area, Fault-Tolerant Data Dissemination Protocol,” ACM NOSSDAV 2001, New York, (June 2001).
[3.2k] 3GPP specification. http://www.3gpp.org/3G_Specs/3G_Specs.htm.
[3.2l] B. Stiller, T. Braun,
M. Gunter and B. Plattner, “The CATI project: charging and accounting
technology for the Internet,” Proc. of 4th European Conference: Multimedia Applications,
Services and Techniques, pp. 281-96, May 1999.
[3.3a] Tolga Urhan, Michael J. Franklin, Laurent Amsaleg.
Cost Based Query Scrambling for Initial Delays,Procedings of the ACM SIGMOD Conference, Seattle, WA, June 1998, pp. 130-141.
[3.3b] Joseph M. Hellerstein, Michael J. Franklin, Sirish
Chandrasekaran, Amol Deshpande, Kris Hildrum, Sam Madden, Vijayshankar Raman,
Mehul Shah. Adaptive Query Processing: Technology in Evolution, IEEE Data Engineering Bulletin, June
2000, pp 7-18.
[3.3c] Joseph
M. Hellerstein Ron Avnur, Andy Chou, Chris Olston, Vijayshankar Raman, Tali
Roth, Christian Hidber, Peter J.Haas. Interactive Data Analysis with
CONTROL, IEEE Computer 32(8), August, 1999, pp. 51-59.
[3.3d] Ron Avnur, Joseph M.
Hellerstein. Eddies: Continuously Adaptive Query Processing, Procedings of the ACM SIGMOD Conference,
Philadelphia, PA, June 2000,
[3.3e] Ugur Cetintemel, Michael J. Franklin, and C.
Lee Giles. Self-Adaptive User Profiles for Large-Scale Data Delivery, Proceedings of the International Conference
on Data Engineering, San Diego, CA, February, 2000, pp 622-633
[3.3f] Mitch Cherniack, Michael J. Franklin, Stan
Zdonik. Expressing User Profiles for Data Recharging, accepted for publication, IEEE Personal Communications, April 2001
(to appear).
[3.3g] Mehmet Altinel, Michael J. Franklin.
Efficient Filtering of XML Documents for Selective Dissemination of
Information, Proceedings of the
International Conference on Very Large Data Bases, Cairo, September 2000.
[3.4a] Olston, C., Woodruff, A., Aiken, A., Chu,
M., Ercegovac, V., Lin, M., Spalding, Stonebraker, M.
DataSplash, SIGMOD 1998, Seattle, Washington, June 1998.
[3.4b] Avnur, R., Hellerstein, J., Lo, B., Olston,
C., Raman, B., Raman, V., Roth, T., Wylie, K. CONTROL: Continuous Output and
Navigation Technology with Refinement On-Line, SIGMOD 1998, Seattle,
Washington, June 1998.
[3.4c] Hearst, M., User Interfaces and
Visualization, in Modern Information Retrieval, Baeza-Yates and Ribeiro-Neto
(Eds), Addison-Wesley Longman, 1999.
[3.4d] Glaser, D. and Hearst, M. Space Series:
Simultaneous display of spatial and
temporal data, IEEE Symposium on Information Visualization, October 1999.
[3.4d] Newman,
M.W. and J.A. Landay. Sitemaps, Storyboards, and Specifications: A Sketch of
Web Site Design Practice as Manifested Through Artifacts. In Proceedings of ACM Conference on Designing Interactive
Systems. New York City. pp. 263-274, August 2000.
[3.4e] Elliott, A. and Hearst, M. How Large Should
a Digital Desk Be? Qualitative Results of a
Comparative Study in the Proceedings of CHI'00, Conference Companion, The
Hague, Netherlands, 2000.
[3.4f] Hong, J.I. and J.A. Landay, An
Infrastructure Approach to Context-Aware Computing. Human-Computer Interaction,
2001. 16(2).
[3.4g] “Application of Information Visualization Techniques
to Networked Sensors ,” Philip Buonadonna and Jason Hill, 2000, http://www.sims.berkeley.edu/courses/is247/f00/projects.html
[3.4h] “CLOUDS: On-line database visualization”, C.
Olston, T. Roth, A.
Chou, J. Hellerstein, 2000. http://datasplash.cs.berkeley.edu/online/
[3.4i] “The Firewall Project”, A. Bhargava, K. Stewart, J. Archuleta, J. Cho, S. Schuman, J. Landay,
2000, http://ratbert.bmrc.berkeley.edu/courseware/cs169/spring01/projects/firewall/
[3.4j] “Crossweaver”, J. Landay, A. Sinha, J. Lin, 2001, http://guir.berkeley.edu/projects/cweaver/
[3.5a] Bertram, M., Duchaineau,
M.A., Hamann, B. and Joy, K.I. (2000), Bicubic subdivision-surface wavelets for
large-scale isosurface representation and visualization, in: Ertl, T., Hamann,
B. and Varshney, A., eds., Visualization 2000, IEEE Computer Society Press, Los
Alamitos, California, pp. 389-396.
[3.5b] Bertram, M.,
Duchaineau, M.A., Hamann, B. and Joy, K.I. (2000), Wavelets on planar
tesselations, in: Arabnia, H.R., Coudoux, F.-X., Mun, Y., Power, G.P., Sarfraz,
M. and Zhu, Q., eds., Proc. The 2000 International Conference on Imaging
Science, Systems, and Technology (CISST 2000), Computer Science Research,
Education, and Applications Press (CSREA), Athens, Georgia, pp. 619-625.
[3.5c]
Bremer, P.-T., Hamann, B., Kreylos, O. and Wolter, F.-E. (2001), Simplification
of closed triangulated surfaces using simulated annealing, in: Lyche, T. and
Schumaker, L.L., eds., Mathematical Methods in CAGD: Oslo 2000, Vanderbilt
University Press, Nashville, Tennessee, pp. 45-54.
[3.5d] Gieng, T.S., Hamann,
B., Joy, K.I., Schussman, G.L. and Trotts, I.J. (1998), Constructing
hierarchies for triangle meshes, IEEE Transactions on Visualization and
Computer Graphics 4(2), pp. 145-161.
[3.5e]
Hamann, B., Jordan, B.W. and Wiley, D.F. (1999), On a construction of a
hierarchy of best linear spline approximations using repeated bisection, IEEE
Transactions on Visualization and Computer Graphics 5(1/2), pp. 30-46, p. 190
(errata).
[3.5f] Heckel, B., Uva, A.E.
and Hamann, B. (1999), Cluster-based generation of hierarchical surface models,
in: Hagen, H., Nielson, G.M. and Post, F., eds., Proc. Scientific Visualization
- Dagstuhl '97, second printing, IEEE Computer Society Press, Los Alamitos,
California, pp. 113-122.
[3.5g] Kreylos, O. and Hamann,
B. (1999), On simulated annealing and the construction of linear spline
approximations for scattered data, in: Groeller, E., Loeffelmann, H. and
Ribarsky, W., eds., Data Visualization '99 (Proc. "VisSym '99"),
Springer-Verlag, Vienna, Austria, pp. 189-198.
[3.5h] Schussman, S.E.,
Bertram, M., Hamann, B. and Joy, K.I. (2000), Hierarchical data representations
based on planar Voronoi diagrams, in: de Leeuw, W.C., van Liere, R., eds., Data
Visualization 2000 (Proc. "VisSym '00"), Springer-Verlag, Vienna,
Austria, pp. 63-72.
[3.5i] Trotts, I.J., Hamann,
B. and Joy, K.I. (1999), Simplification of tetrahedral meshes with error
bounds, IEEE Transactions on Visualization and Computer Graphics 5(3), pp.
224-237.
[3.5j] Bonnell, K.S., Schikore,
D.R., Joy, K.I., Duchaineau, M.A. and Hamann, B. (2000), Constructing material
interfaces from data sets with volume-fraction information, in: Ertl, T.,
Hamann, B. and Varshney, A., eds., Visualization 2000, IEEE Computer Society
Press, Los Alamitos, California, pp. 367-372.
[3.5k] Gregorski, B.F.,
Hamann, B. and Joy, K.I. (2000), Reconstruction of B-spline surfaces from
scattered data points, in: Magnenat-Thalmann, N. and Thalmann, D., eds.,
Proceedings of Computer Graphics International 2000, pp. 163-170.
[3.5l] Hamann, B., Kreylos,
O., Monno, G. and Uva, A.E. (1999), Optimal linear spline approximation of
digitized models, in: Banissi, E., Khosrowshahi, F., Sarfraz, M., Tatham, E.
and Ursyn, A., eds., Proc. "1999 IEEE International Conference on
Information Visualization (IV '99) - Computer Aided Geometric Design
Symposium," IEEE Computer Society Press, Los Alamitos, California, pp.
244-249.
[3.5m] Kreylos, O., Ma, K.-L.
and Hamann, B. (2000), A multi-resolution interactive previewer for volumetric
data on arbitrary meshes, in: Outhyoung, M. and Shih, Z.-C., eds., Proc. 2000
International Computer Symposium – Workshop on Computer Graphics and Virtual
Reality, Department of Computer Science and Information Engineering, National
Chung Cheng University, Chiayi, Taiwan, R.O.C., pp. 74-81.
[3.5n] Kuester, F.,
Duchaineau, M.A., Hamann, B., Joy, K.I. and Ma, K. L. (2000), The
DesignersWorkbench: towards real-time immersive modeling, in: Merritt, J.O.,
Benton, S.A., Woods, A.J. and Bolas, M.T., eds., Stereoscopic Displays and
Virtual Reality Systems VII, Proc. SPIE Vol. 3957, SPIE – The International
Society for Optical Engineering, Bellingham, Washington, pp. 464-472.
[3.5o] LaMar, E.C., Hamann, B.
and Joy, K.I. (1999), Multiresolution techniques for interactive texture-based
volume visualization, in: Ebert, D.S., Gross, M. and Hamann, B., eds.,
Visualization '99, IEEE Computer Society Press, Los Alamitos, California, pp.
355-361.
[3.5p] Scheuermann, G.,
Hamann, B., Joy, K.I. and Kollmann, W. (2000), Visualizing local vector field
topology, Journal of Electronic Imaging 9(4), special section on visualization
and data analysis, SPIE - The International Society for Optical Engineering,
pp. 356-367.
[4.1a]
T. A. Henzinger and S. S. Sastry, “Hybrid Systems: Computation and Control”,
Springer Verlag Lecture Notes in CS, Vol. LNCS 1386, 1998.
[4.1b] C. J. Tomlin, J.
Lygeros and S. Sastry, “A Game Theoretic Approach to Controller Design for
Hybrid Systems”, Proceedings of the IEEE, Special Issue on Hybrid Systems, Vol.
88, July 2000, pp. 949-970.
[4.1c] T. Henzinger, S. Qadeer and S. Rajamani,
“Decomposing refinement proofs using assume
guarantee reasoning, “ Proceedings of the IEEE/ACM Conference on
Computer Aided Design, ICCAD 2000, pp. 245-252.
[4.1d] T.A. Henzinger. “The theory of hybrid automata,” Proceedings of the 11th Annual
IEEE Symposium on Logic in Computer Science, 1996, pp. 278-292.
[4.1e] R. Alur, L. de Alfaro, T.A. Henzinger, and F.Y.C.
Mang. “Automating modular
verification,”Proceedings of the Tenth
International Conference on Concurrency Theory, Lecture Notes in Computer Science 1664, Springer-Verlag, 1999, pp.
82-97.
[4.1f] T.A. Henzinger. “Masaccio: a formal model for embedded components”, Proceedings
of the First IFIP International Conference on Theoretical Computer
Science, Lecture Notes in Computer
Science 1872, Springer-Verlag, 2000, pp.
549-563.
[4.1g] R. Alur and D.L. Dill. “A theory of timed automata”, Theoretical Computer Science,
126:183--235, 1994.
[4.1h] R. Alur and T.A. Henzinger. “Modularity for timed and
hybrid systems,” Proceedings of the Eighth
International Conference on Concurrency Theory, Lecture Notes in Computer
Science 1243, Springer-Verlag, 1997, pp. 74-88.
[4.1i] M. Abadi and L. Lamport. “Conjoining specifications”,. ACM Transactions on
Programming Languages and Systems, 17:507--534, 1995.
[4.1j] N.A. Lynch.Distributed
Algorithms. Morgan-Kaufmann, 1996.
[4.1k] R. Segala. Modeling and Verification of Randomized Distributed
Real-Time Systems.
PhD thesis, MIT, 1995.
[4.1l] E.A. Lee. Embedded Software: An Agenda for Research. Technical Report UCB/ERL No.
M99/63, University of California, Berkeley, 1999.
[4.1m] T.A. Henzinger, M. Minea, and V. Prabhu, “Assume-guarantee reasoning for
hierarchical hybrid systems”,. Proceedings of the Fourth International Workshop on
Hybrid Systems: Computation and Control, Lecture Notes in Computer
Science 2034, Springer-Verlag, 2001, pp.
275-290.
[4.1n] N.A. Lynch, R. Segala, F. Vaandrager, H.B.
Weinberg. “Hybrid I/O Automata. Hybrid Systems III”, Lecture Notes in Computer Science 1066, Springer-Verlag,
1996, pp. 496-510.
[4.1o] E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 1999.
[4.1p] A. Aiken, E. Wimmers, and T.K. Lakshman. Soft typing with conditional
types.
Proceedings of the Twenty-First Annual ACM Symposium
on Principles of Programming Languages,
1994, pp. 163--173,
[4.1q] D. Bjorner, A.P. Ershov, and N.D. Jones, editors. Partial Evaluation and Mixed
Computation.
North-Holland, 1988.
[4.1r] R. Cartwright and M. Fagan. Soft typing. Proceedings of the ACM SIGPLAN
Conference on Programming Language Design and Implementation, 1991,
pp. 278-292.
[4.1s] B. Hetzel. The Complete Guide to Software Testing.
John Wiley, 1984.
[4.1t] E. Kit. Software Testing in the Real World. Addison-Wesley, 1995.
[4.1u] G. Myers. The Art of Software Testing. John Wiley, 1977.
[4.1v] G. Lafferriere, G. J. Pappas, and S. Sastry.
“O-minimal Hybrid Systems,” in Mathematics of Control, Signals, and Systems,
March 2000, Vol. 13, No. 1: 1-21.
[4.1w] Johansson, K.H.;
Egerstedt, M.; Lygeros, J.; Sastry, S. “On the Regularization of Zeno Hybrid
Automata,” Systems & Control Letters, 26 October 1999, Vol. 38, No.
3: 141-50.
[4.1x] Lygeros, J; Tomlin, C; Sastry, S. “Controllers for Reachability Specifications
for Hybrid Systems, “ AUTOMATICA, March 1999, Vol. 35 No. 3: 349-370.
[4.1y] G. Pappas and S. Sastry,
"Straightening Rectangular Inclusions," Systems and Control
Letters, 1998, Vol. 35, No. 2: 79-85.
[4.1z] J. Hu, J. Lygeros and S. Sastry, “Towards a theory of
stochastic hybrid systems,” in
Proceedings of the Third Conference on Hybrid
Systems: Computation and Control, edited N. Lynch and B.
Krogh, Springer LNCS, 2000.
[4.2a] C. Perrow. Normal Accidents: Living with High-Risk
Technologies. Princeton, NJ: Princeton Press, 1999.
[4.2b] ] A. Brown, G. Kar, and
A. Keller. An Active Approach to Characterizing Dynamic Dependencies for Problem Determination in a
Distributed Environment. To appear in Proceedings of the Seventh IFIP/IEEE
International Symposium on Integrated Network Management (IM VII), Seattle, WA,
May 2001.
[4.2c] A. Brown and D. A.
Patterson. Towards Availability Benchmarks: A Case Study of Software RAID
Systems. Proceedings of the 2000 USENIX
Annual Technical Conference, San Diego, CA, June 2000.
[4.2d] Arpaci-Dusseau, R.; Anderson, E.; Treuhaft,
N.; Culler, D.; Hellerstein, J.; Patterson, D.; Yelick, K. Cluster I/O with River: Making the Fast Case
Common, Proc. IOPADS '99: Sixth
Workshop on I/O in Parallel and Distributed Systems, Atlanta, Georgia, May 5,
1999.
[4.2e] J. M. Christensen and J. M.
Howard. Field Experience in Maintenance. Human
Detection and Diagnosis of System Failures: Proceedings of the NATO Symposium
on Human Detection and Diagnosis of System Failures, J. Rasmussen and W.
Rouse (Eds.). New York: Plenum Press,
1981, 111–133.
[4.2f] S. Fisher. E-business
redefines infrastructure needs. InfoWorld,
7 January 2000. Available from www.inforworld.com.
[4.2g] J. Gray. Why Do Computers Stop
and What Can Be Done About It? Symposium
on Reliability in Distributed Software and Database Systems, 3–12, 1986.
[4.2h] J. Hamilton. Fault Avoidance
vs. Fault Tolerance: Testing Doesn’t Scale. High
Performance Transaction Systems (HPTS) Workshop, Asilomar, CA, 1999.
[4.2i] B. H. Kantowitz and R. D.
Sorkin. Human Factors: Understanding
People-System Relationships. New York: Wiley, 1983.
[4.2j] D. R. Kuhn. Sources of Failure
in the Public Switched Telephone Network. IEEE
Computer 30(4), April 1997.
[4.2k] J. Menn. Prevention of Online
Crashes is No Easy Fix. Los Angeles
Times, 2 December 1999, C-1.
[4.2l] B. Murphy and T. Gent.
Measuring System and Software Reliability using an Automated Data Collection
Process. Quality and Reliability
Engineering International, 11:341–353, 1995.
[4.3a] A. Perrig, R. Canetti,
J. D. Tygar, D. Song. "Efficient
Authentication and Signing of Multicast Streams over Lossy Channels". In Proceedings of the 2000 IEEE Symposium on
Security and Privacy, May 2000, pages 56 - 73.
[4.3b] A. Perrig, R. Canetti,
D. Song, J. D. Tygar. "Efficient
and Secure Source Authentication for Multicast". In Proceedings of the Internet Society Network and Distributed
System Security Symposium, February 2001.
[4.3c] J. M. Kahn, R. H. Katz
and K. S. J. Pister. "Mobile Networking for Smart Dust". ACM/IEEE
Intl. Conf. on Mobile Computing and Networking (MobiCom 99), Seattle, WA,
August 17-19, 1999.
[4.3d] A. Perrig, D. Song, J.
D. Tygar. "ELK: A New Protocol for Efficient Large-Group Key
Distribution". To appear in
Proceedings of the 2001 IEEE Symposium on Security and Privacy, May 2001.
[4.3e] National Research
Council Committee on Information Systems Trustworthiness. Trust in Cyberspace. National Academy Press,
1999.
[4.3f] J. D. Tygar, A. Whitten. "Why Isn't the Internet Secure
Yet?" In ASLIB Proceedings, Volume
52, Number 3, March 2000, pages 93-97.
[4.3g] L. J. Camp, J. D.
Tygar. "Protecting privacy while
preserving access to data". In The Information Society, Volume 10, Number
1, January 1994, pages 59-71.
[4.3h] R. Bisbey II, D. Hollingsworth. "Protection analysis project final
report". Tech. report ISI/RR-78-13,
USC/Information Sciences Institute, May 1978.
[4.3i] A.K. Ghosh, T. O'Connor, G. McGraw, "An
automated approach for identifying potential vulnerabilities in software". Proc. IEEE Symp. on Security and Privacy, May 1998.
[4.3j] U. Shankar, K. Talwar, J.S. Foster, D.
Wagner. "Detecting format string vulnerabilities with type
qualifiers." To appear at USENIX
Security Symp., Aug 2001.
[4.3k] J. Viega, J.T. Block, T. Kohno, G.
McGraw. "ITS4: A static
vulnerability scanner for C and C++
code." 16th Ann. Comp. Security
Applications Conf.,
Dec 2000.
[4.3l] D. Wagner, D. Dean. "Intrusion Detection via Static
Analysis". To appear at IEEE Symp. on Security and
Privacy, May 2001.
[4.3m] D. Wagner, J.S. Foster, E.A. Brewer, A.
Aiken. "A first step toward automated detection of buffer
overrun vulnerabilities." Proc.
Network and Dist. System Security
Symp., Feb 2000.
[4.3n] P. Samuelson. "Privacy as Intellectual Property?" Stanford
Law Review,
Vol. 52,
No.5, May 2000, pages 1125-1173
[4.3o] P. Agre, M. Rotenberg, editors. Technology and
Privacy: The New
Landscape.
MIT Press, 1997.
[4.3p] J. Kang. "Information Privacy in Cyberspace
Transactions." Stanford Law
Review, Vol. 50, No. 4, April 1998, pages 1193-1294.
[4.3q] P.
Samuelson. "Intellectual Property and the Digital Economy: Why the
Anti-Circumvention Regulations Need To Be
Revised." Berkeley Technology
Law Journal, Vol. 14, No. 2, Spring 1999, pages
519-566.
[4.3r] P. Samuelson. "Towards More Sensible
Anti-Circumvention Regulations."
Proceedings of Financial Cryptography 2000,
forthcoming 2001.
References
submitted by section authors
[3GPP] http://www.3gpp.org/3G_Specs/3G_Specs.htm.
[Braden 97] R. Braden, L.
Zhang, S. Berson, S. Herzog and S. Jamin, “ReSerVation Protocol (RSVP) Version
1 Functional Specification,” Internet RFC 2205, IETF Network Working Group,
September 1997. //www.merit.edu/~ipma/tools/lookingglass.html.
[Chuah 00] C. Chuah, L. Subramanian, A. D. Joseph,
R. H. Katz, “QoS Provisioning Using A Clearing House Architecture,” 8th
International Workshop on Quality of Service (IWQOS 2000), Pittsburgh, PA,
(June 2000).
[Duffeld99] N. Duffeld, P.
Goyal, A. Greenberg, P. Mishra, K. K. Ramakrishnan, J. E. Van der Merwe, “A
Flexible Model for Resource Management in Virtual Private Networks," Proc.
of ACM Sigcomm, pp. 95-108, (September 1999).
[Gribble01]
S. D. Gribble, M. Welsh, R. von Behren, E. A. Brewer, D. Culler, N. Borisov, S.
Czerwinski, R. Gummadi, J. Hill, A. Joseph, R. H. Katz, Z. M. Mao, S. Ross, B.
Zhao, “The Ninja Architecture for Robust Internet-Scale Systems and Services,” Journal of Computer Networks, Special Issue
on Pervasive Computing, to appear.
[Kubi00] J. Kubiatowicz, D. Bindel, Y. Chen, S.
Czerwinski, P. Eaton, D. Geels, R. Gummadi, S. Rhea, H. Weatherspoon, W.
Weimer, C. Wells, B. Zhao, “OceanStore: An Architecture for Global-Scale
Persistent Storage,” Proceedings of the Ninth international Conference on
Architectural Support for Programming Languages and Operating Systems (ASPLOS
2000), November 2000.
September
1999.
[Mao
01] Z. Mao, W. So, R. H. Katz, “Network Support for Mobile Multimedia Using a
Self-Adaptive Distributed Proxy,” ACM NOSSDAV 2001, New York, (June 2001).
[Microsoft
01] Microsoft Corporation, .Net Home Page, http://www.microsoft.com/net/default.asp.
[Stiller 99] B. Stiller, T. Braun, M. Gunter and B.
Plattner, “The CATI project: charging and accounting technology for the
Internet,” Proc. of 4th European Conference: Multimedia Applications, Services
and Techniques, pp. 281-96, May 1999.
[Sun
01] Sun Corporation, Java Home Page, http://www.java.sun.com/.
[Verma
99] D. Verma, Supporting Service Level
Agreements in IP Networks, Macmillan Publishing Company, New York, 1999.
[Zhuang 01] S. Zhuang, B. Zhao, A. Joseph, R. H. Katz, J. Kubiatowicz, “Bayeux: An Architecture for Wide-Area, Fault-Tolerant Data Dissemination Protocol,” ACM NOSSDAV 2001, New York, (June 2001).
[3GPP] http://www.3gpp.org/3G_Specs/3G_Specs.htm.
[Chuah 00] C. Chuah, L.
Subramanian, A. D. Joseph, R. H. Katz, “QoS Provisioning Using A Clearing House
Architecture,” 8th International Workshop on Quality of Service
(IWQOS 2000), Pittsburgh, PA, (June 2000).
[Mao 01] Z. Mao, W. So, R.
H. Katz, “Network Support for Mobile Multimedia Using a Self-Adaptive
Distributed Proxy,” ACM NOSSDAV 2001, New York, (June 2001).
[Microsoft 01] Microsoft
Corporation, .Net Home Page, http://www.microsoft.com/net/default.asp.
[Raman 00] B. Raman, R. H.
Katz, A. Joseph, “Providing Extensible Personal Mobility and Service Mobility
in an Integrated Communication Network,” 3rd IEEE Workshop on Mobile
Computing Systems and Applications (WMCSA2000), Monterey, CA, (December 2000).
[Sun 01] Sun Corporation,
Java Home Page, http://www.java.sun.com/.
[Zhuang 01] S. Zhuang, B. Zhao, A. Joseph, R. H. Katz, J. Kubiatowicz, “Bayeux: An Architecture for Wide-Area, Fault-Tolerant Data Dissemination Protocol,” ACM NOSSDAV 2001, New York, (June 2001).
[AF00]
Mehmet Altinel, Michael J. Franklin. Efficient Filtering of XML Documents for
Selective Dissemination of Information, Proceedings
of the International Conference on Very Large Data Bases, Cairo, September
2000.
[AH00]
Ron Avnur, Joseph M. Hellerstein. Eddies: Continuously Adaptive Query
Processing, Procedings of the ACM SIGMOD
Conference, Philadelphia, PA, June
2000,
[CFG00]
Ugur Cetintemel, Michael J. Franklin, and C. Lee Giles. Self-Adaptive User
Profiles for Large-Scale Data Delivery, Proceedings
of the International Conference on Data Engineering, San Diego, CA,
February, 2000, pp 622-633
[CFZ01] Mitch
Cherniack, Michael J. Franklin, Stan Zdonik. Expressing User Profiles for Data
Recharging, accepted for publication, IEEE
Personal Communications, April 2001 (to appear).
[HACO+99]
Joseph M. Hellerstein Ron Avnur, Andy Chou, Chris Olston, Vijayshankar Raman,
Tali Roth, Christian Hidber, Peter J.Haas. Interactive Data Analysis with
CONTROL, IEEE Computer 32(8), August, 1999, pp. 51-59.
Archer, G.C., Fenves, G.L., Thewalt, C. (1999).“A
New Object-Oriented Finite Element Analysis Program Architecture”, Computers & Structures, 70(1), pp.
63-75.
Arici, Y. and K. M. Mosalam, (2000) System
Identification and Modeling of Bridge Systems for Assessing Current Design
Procedures, Proceedings of SMIP2000
Seminar, Sept. 14, Sacramento, CA
Baise, L.G., and Glaser, S.D. (2000), Repeatability
of Site Response Estimates Made Using System Identification, Bulletin of the Seismological Society of
America, 90(4), pp. 993-1009.
Beck, J.L. (1978). Determining Models of Structures from Earthquake Records. Earthquake
Engineering Research Laboratory 78-01. California Institute of Technology.
Beck, J.L., and Katafygiotis, L.S. (1998). Updating Models and Their Uncertainties. I:
Baysian Statistical Framework, Journal of
Engineering Mechanics, 124(4), p. 455.
Buika, J. et al. (1998). “Advances in Scientific and
Engineering Post-Earthquake Operational Response and Disaster Intelligence,” Proceedings, Sixth U.S. National
Conference on Earthquake Engineering.
Farrar, C.R. and Doebling, S.W., (1997) Lessons
Learned from Applications of Vibration-Based Damage Identification Methods to
Large Bridge Structures, Proc. of the
International Workshop on Structural Health Monitoring, Stanford, CA, Sept
1997, pp. 351-370.
Farrar, C.R., Doebling, S.W., Nix, D.A., (2001)
Vibration-Based Structural Damage Identification, Philosophical Transactions
of the Royal Society: Mathematical, Physical & Engineering Sciences,
359(1778), pp. 131 – 149
DesRoches, R., Fenves, G.L. (1997). “Evaluation of
Recorded Earthquake Response of a Curved Highway Bridge”, Earthquake Spectra, 13(3), pp. 363-386.
Glaser, S.D., and Baise, L.G. (2000), System
Identification Estimation of Damping and Modal Frequencies at the Lotung Site, Soil Dynamics and Earthquake Engineering,
19(6), pp. 521-531.
Heaton, T. (1996). “ The TriNet Project,”
Proceedings, Eleventh World Conference on Earthquake Engineering, Elsevier
Science Ltd.,Paper No. 2136.
Hjelmstad, K. D.; Banan, M. R.; Banan, M. R. “On
Building Finite Element Models of Structures from Modal Response,” Earthquake Engineering & Structural
Dynamics, 24(1), pp. 53-67.
Lin, J.-S. and Zhang, Y. (1994). Nonlinear
structural identification using extended Kalman filter. Computers and Structures, 52(4),
p.757.
McConnell, K.G. (1995) Vibration Testing: theory and
practice, Wiley, p. 606.
McKenna, F., Fenves, G.L. (2000). “An
Object-Oriented Software Design for Parallel Structural Analysis”, Advanced Technology in Structural
Engineerings, Structures Congress 2000, ASCE.
NRC (1999). Reducing
Disaster Losses Through Better Information, Board of Natural Disaster,
National Research Council.
Safak, E. (1997). Propagation of Seismic Waves in
Tall Buildings. Tall Buildings for the 21st Century (Proceedings of the 4th
Conference on Tall Buildings in Seismic Regions), 129-154.
Scrivner, C., Worden, C.B. Wald, D.J. (2000). “Use
of TriNet ShakeMap to Manage Earthquake risk,” Proceedings, Sixth International
Conference on Seismic Zonation: Managing Earthquake Risk in the 21st Century,
EERI.
Sohn, H., Law, K.H. (1997). “Bayesian Probabilistic
Approach for Structure Damage Detection,” Earthquake
Engineering & Structural Dynamics, 26(12), pp. 1259-1281.
Stewart,J.P, Fenves, G.L. ((1998) “System
Identification for Evaluating Soil-Structure Interaction Effects in Buildings
from Strong Motion Recordings”, Earthquake
Engineering and Structural Dynamics, 27(8), pp. 869-885.
Smyth, A.W., Masri, S.F., Chassiakos, A.G., and Caughey,
T.K. (1999). On-Line Parameter
Identification of MDOF Nonlinear Hysteretic Systems, Journal of Engineering Mechanics, 125(2), p. 133.
TriNet (2001). “TriNet: Seismic System for Southern
California,” http://www.trinet.org/.
Udwadia, F. E. (1985). Some Uniqueness Results
Related to Soil and Building Structural Identification, SIAM J. Applied Math., 45(4), p. 674.
Werner, S.D., Crouse, C.B.,
Katafygiotis, L.S., and Beck, J.L. (1994) Use of strong motion records for
model evaluation and seismic analysis of a bridge structure, Proceedings of the Fifth U.S. National
Conference on Earthquake Engineering, 1, 511-520.
Arici, Y. and K. M. Mosalam,
(2000) System Identification and Modeling of Bridge Systems for Assessing
Current Design Procedures, Proceedings of
SMIP2000 Seminar, Sept. 14, Sacramento, CA
Baise, L.G., and Glaser,
S.D. (2000), Repeatability of Site Response Estimates Made Using System
Identification, Bulletin of the
Seismological Society of America, 90(4), pp. 993-1009.
Beck, J.L. (1978). Determining Models of Structures from
Earthquake Records. Earthquake Engineering Research Laboratory 78-01.
California Institute of Technology.
Beck, J.L., and
Katafygiotis, L.S. (1998). Updating
Models and Their Uncertainties. I: Baysian Statistical Framework, Journal of Engineering Mechanics,
124(4), p. 455.
Farrar, C.R. and Doebling,
S.W., (1997) Lessons Learned from Applications of Vibration-Based Damage
Identification Methods to Large Bridge Structures, Proc. of the International Workshop on Structural Health Monitoring,
Stanford, CA, Sept 1997, pp. 351-370.
Farrar, C.R., Doebling,
S.W., Nix, D.A., (2001) Vibration-Based Structural Damage Identification, Philosophical
Transactions of the Royal Society: Mathematical, Physical & Engineering
Sciences, 359(1778), pp. 131 - 149
Glaser, S.D., and Baise,
L.G. (2000), System Identification Estimation of Damping and Modal Frequencies
at the Lotung Site, Soil Dynamics and
Earthquake Engineering, 19(6), pp. 521-531.
Lin, J.-S. and Zhang, Y.
(1994). Nonlinear structural identification using extended Kalman filter. Computers and Structures, 52(4), p.757.
McConnell, K.G. (1995)
Vibration Testing: theory and practice, Wiley, p. 606.
Safak, E. (1997).
Propagation of Seismic Waves in Tall Buildings. Tall Buildings for the 21st
Century (Proceedings of the 4th Conference on Tall Buildings in Seismic
Regions), 129-154.
Smyth, A.W., Masri, S.F.,
Chassiakos, A.G., and Caughey, T.K. (1999).
On-Line Parameter Identification of MDOF Nonlinear Hysteretic Systems, Journal of Engineering Mechanics,
125(2), p. 133.
Udwadia, F. E. (1985). Some
Uniqueness Results Related to Soil and Building Structural Identification, SIAM J. Applied Math., 45(4), p. 674.
Werner, S.D., Crouse, C.B.,
Katafygiotis, L.S., and Beck, J.L. (1994) Use of strong motion records for
model evaluation and seismic analysis of a bridge structure, Proceedings of the Fifth U.S. National
Conference on Earthquake Engineering, 1, 511-520.
[3GPP] http://www.3gpp.org/3G_Specs/3G_Specs.htm.
[Braden 97] R. Braden, L.
Zhang, S. Berson, S. Herzog and S. Jamin, “ReSerVation Protocol (RSVP) Version
1 Functional Specification,” Internet RFC 2205, IETF Network Working Group,
September 1997. //www.merit.edu/~ipma/tools/lookingglass.html.
[Chuah 00] C. Chuah, L. Subramanian, A. D. Joseph,
R. H. Katz, “QoS Provisioning Using A Clearing House Architecture,” 8th
International Workshop on Quality of Service (IWQOS 2000), Pittsburgh, PA,
(June 2000).
[Duffeld99] N. Duffeld, P.
Goyal, A. Greenberg, P. Mishra, K. K. Ramakrishnan, J. E. Van der Merwe, “A
Flexible Model for Resource Management in Virtual Private Networks," Proc.
of ACM Sigcomm, pp. 95-108, (September 1999).
[Gribble01]
S. D. Gribble, M. Welsh, R. von Behren, E. A. Brewer, D. Culler, N. Borisov, S.
Czerwinski, R. Gummadi, J. Hill, A. Joseph, R. H. Katz, Z. M. Mao, S. Ross, B.
Zhao, “The Ninja Architecture for Robust Internet-Scale Systems and Services,” Journal of Computer Networks, Special Issue
on Pervasive Computing, to appear.
[Kubi00] J. Kubiatowicz, D. Bindel, Y. Chen, S.
Czerwinski, P. Eaton, D. Geels, R. Gummadi, S. Rhea, H. Weatherspoon, W.
Weimer, C. Wells, B. Zhao, “OceanStore: An Architecture for Global-Scale
Persistent Storage,” Proceedings of the Ninth international Conference on
Architectural Support for Programming Languages and Operating Systems (ASPLOS
2000), November 2000.
September
1999.
[Mao
01] Z. Mao, W. So, R. H. Katz, “Network Support for Mobile Multimedia Using a
Self-Adaptive Distributed Proxy,” ACM NOSSDAV 2001, New York, (June 2001).
[Microsoft
01] Microsoft Corporation, .Net Home Page, http://www.microsoft.com/net/default.asp.
[Stiller 99] B. Stiller, T. Braun, M. Gunter and B.
Plattner, “The CATI project: charging and accounting technology for the
Internet,” Proc. of 4th European Conference: Multimedia Applications, Services
and Techniques, pp. 281-96, May 1999.
[Sun
01] Sun Corporation, Java Home Page, http://www.java.sun.com/.
[Verma
99] D. Verma, Supporting Service Level
Agreements in IP Networks, Macmillan Publishing Company, New York, 1999.
[Zhuang 01] S. Zhuang, B. Zhao, A. Joseph, R. H. Katz, J. Kubiatowicz, “Bayeux: An Architecture for Wide-Area, Fault-Tolerant Data Dissemination Protocol,” ACM NOSSDAV 2001, New York, (June 2001).
[3GPP] http://www.3gpp.org/3G_Specs/3G_Specs.htm.
[Chuah 00] C. Chuah, L.
Subramanian, A. D. Joseph, R. H. Katz, “QoS Provisioning Using A Clearing House
Architecture,” 8th International Workshop on Quality of Service
(IWQOS 2000), Pittsburgh, PA, (June 2000).
[Mao 01] Z. Mao, W. So, R.
H. Katz, “Network Support for Mobile Multimedia Using a Self-Adaptive
Distributed Proxy,” ACM NOSSDAV 2001, New York, (June 2001).
[Microsoft 01] Microsoft
Corporation, .Net Home Page, http://www.microsoft.com/net/default.asp.
[Raman 00] B. Raman, R. H.
Katz, A. Joseph, “Providing Extensible Personal Mobility and Service Mobility
in an Integrated Communication Network,” 3rd IEEE Workshop on Mobile
Computing Systems and Applications (WMCSA2000), Monterey, CA, (December 2000).
[Sun 01] Sun Corporation,
Java Home Page, http://www.java.sun.com/.
[Zhuang 01] S. Zhuang, B. Zhao, A. Joseph, R. H. Katz, J. Kubiatowicz, “Bayeux: An Architecture for Wide-Area, Fault-Tolerant Data Dissemination Protocol,” ACM NOSSDAV 2001, New York, (June 2001).
[AF00]
Mehmet Altinel, Michael J. Franklin. Efficient Filtering of XML Documents for
Selective Dissemination of Information, Proceedings
of the International Conference on Very Large Data Bases, Cairo, September
2000.
[AH00]
Ron Avnur, Joseph M. Hellerstein. Eddies: Continuously Adaptive Query
Processing, Procedings of the ACM SIGMOD
Conference, Philadelphia, PA, June
2000,
[CFG00]
Ugur Cetintemel, Michael J. Franklin, and C. Lee Giles. Self-Adaptive User
Profiles for Large-Scale Data Delivery, Proceedings
of the International Conference on Data Engineering, San Diego, CA,
February, 2000, pp 622-633
[CFZ01] Mitch
Cherniack, Michael J. Franklin, Stan Zdonik. Expressing User Profiles for Data
Recharging, accepted for publication,
IEEE Personal Communications, April 2001 (to appear).
[HACO+99]
Joseph M. Hellerstein Ron Avnur, Andy Chou, Chris Olston, Vijayshankar Raman,
Tali Roth, Christian Hidber, Peter J.Haas. Interactive Data Analysis with
CONTROL, IEEE Computer 32(8), August, 1999, pp. 51-59.
[HFCD+00]
Joseph M. Hellerstein, Michael J. Franklin, Sirish Chandrasekaran, Amol
Deshpande, Kris Hildrum, Sam Madden, Vijayshankar Raman, Mehul Shah. Adaptive
Query Processing: Technology in Evolution,
IEEE Data Engineering Bulletin, June 2000, pp 7-18.
[UFA98] Tolga Urhan, Michael J. Franklin,
Laurent Amsaleg. Cost Based Query Scrambling for Initial Delays,Procedings of the ACM SIGMOD Conference, Seattle, WA, June 1998, pp. 130-141.
[Bertram00a] Bertram, M., Barnes, J.C.,
Hamann, B., Joy, K.I., Pottmann, H. and Wushour, D. (2000), Piecewise optimal
triangulation for the approximation of scattered data in the plane, Computer
Aided Geometric Design 17(8), ELSEVIER, pp. 767-787.
[Bertram00b]
Bertram, M., Duchaineau, M.A., Hamann, B. and Joy, K.I. (2000), Bicubic
subdivision-surface wavelets for large-scale isosurface representation and
visualization, in: Ertl, T., Hamann, B. and Varshney, A., eds., Visualization
2000, IEEE Computer Society Press, Los Alamitos, California, pp. 389-396.
[Bertram00c]
Bertram, M., Duchaineau, M.A., Hamann, B. and Joy, K.I. (2000), Wavelets on
planar tesselations, in: Arabnia, H.R., Coudoux, F.-X., Mun, Y., Power, G.P.,
Sarfraz, M. and Zhu, Q., eds., Proc. The 2000 International Conference on
Imaging Science, Systems, and Technology (CISST 2000), Computer Science
Research, Education, and Applications Press (CSREA), Athens, Georgia, pp.
619-625.
[Bonnell00]
Bonnell, K.S., Schikore, D.R., Joy, K.I., Duchaineau, M.A. and Hamann, B.
(2000), Constructing material interfaces from data sets with volume-fraction information,
in: Ertl, T., Hamann, B. and Varshney, A., eds., Visualization 2000, IEEE
Computer Society Press, Los Alamitos, California, pp. 367-372.
[Bremer01]
Bremer, P.-T., Hamann, B., Kreylos, O. and Wolter, F.-E. (2001), Simplification
of closed triangulated surfaces using simulated annealing, in: Lyche, T. and
Schumaker, L.L., eds., Mathematical Methods in CAGD: Oslo 2000, Vanderbilt
University Press, Nashville, Tennessee, pp. 45-54.
[Gieng98]
Gieng, T.S., Hamann, B., Joy, K.I., Schussman, G.L. and Trotts, I.J. (1998),
Constructing hierarchies for triangle meshes, IEEE Transactions on
Visualization and Computer Graphics 4(2), pp. 145-161.
[Gregorski00]
Gregorski, B.F., Hamann, B. and Joy, K.I. (2000), Reconstruction of B-spline
surfaces from scattered data points, in: Magnenat-Thalmann, N. and Thalmann,
D., eds., Proceedings of Computer Graphics International 2000, pp. 163-170.
[Hamann99a]
Hamann, B., Jordan, B.W. and Wiley, D.F. (1999), On a construction of a
hierarchy of best linear spline approximations using repeated bisection, IEEE
Transactions on Visualization and Computer Graphics 5(1/2), pp. 30-46, p. 190
(errata).
[Hamann99b]
Hamann, B., Kreylos, O., Monno, G. and Uva, A.E. (1999), Optimal linear spline
approximation of digitized models, in: Banissi, E., Khosrowshahi, F., Sarfraz,
M., Tatham, E. and Ursyn, A., eds., Proc. "1999 IEEE International
Conference on Information Visualization (IV '99) - Computer Aided Geometric
Design Symposium," IEEE Computer Society Press, Los Alamitos, California,
pp. 244-249.
[Heckel99a]
Heckel, B., Uva, A.E. and Hamann, B. (1999), Cluster-based generation of
hierarchical surface models, in: Hagen, H., Nielson, G.M. and Post, F., eds.,
Proc. Scientific Visualization - Dagstuhl '97, second printing, IEEE Computer
Society Press, Los Alamitos, California, pp. 113-122.
[Heckel99b]
Heckel, B., Weber, G.H., Hamann, B. and Joy, K.I. (1999), Construction of
vector field hierarchies, in: Ebert, D.S., Gross, M. and Hamann, B., eds.,
Visualization '99, IEEE Computer Society Press, Los Alamitos, California, pp.
19-25.
[Kreylos99]
Kreylos, O. and Hamann, B. (1999), On simulated annealing and the construction
of linear spline approximations for scattered data, in: Groeller, E.,
Loeffelmann, H. and Ribarsky, W., eds., Data Visualization '99 (Proc.
"VisSym '99"), Springer-Verlag, Vienna, Austria, pp. 189-198.
[Kreylos00]
Kreylos, O., Ma, K.-L. and Hamann, B. (2000), A multi-resolution interactive
previewer for volumetric data on arbitrary meshes, in: Outhyoung, M. and Shih,
Z.-C., eds., Proc. 2000 International Computer Symposium – Workshop on Computer
Graphics and Virtual Reality, Department of Computer Science and Information
Engineering, National Chung Cheng University, Chiayi, Taiwan, R.O.C., pp.
74-81.
[Kuester00]
Kuester, F., Duchaineau, M.A., Hamann, B., Joy, K.I. and Ma, K. L. (2000), The
DesignersWorkbench: towards real-time immersive modeling, in: Merritt, J.O.,
Benton, S.A., Woods, A.J. and Bolas, M.T., eds., Stereoscopic Displays and
Virtual Reality Systems VII, Proc. SPIE Vol. 3957, SPIE – The International
Society for Optical Engineering, Bellingham, Washington, pp. 464-472.
[LaMar99]
LaMar, E.C., Hamann, B. and Joy, K.I. (1999), Multiresolution techniques for
interactive texture-based volume visualization, in: Ebert, D.S., Gross, M. and
Hamann, B., eds., Visualization '99, IEEE Computer Society Press, Los Alamitos,
California, pp. 355-361.
[Scheuermann00]
Scheuermann, G., Hamann, B., Joy, K.I. and Kollmann, W. (2000), Visualizing
local vector field topology, Journal of Electronic Imaging 9(4), special
section on visualization and data analysis, SPIE - The International Society
for Optical Engineering, pp. 356-367.
[Schussman00]
Schussman, S.E., Bertram, M., Hamann, B. and Joy, K.I. (2000), Hierarchical
data representations based on planar Voronoi diagrams, in: de Leeuw, W.C., van
Liere, R., eds., Data Visualization 2000 (Proc. "VisSym '00"),
Springer-Verlag, Vienna, Austria, pp. 63-72.
[Trotts99]
Trotts, I.J., Hamann, B. and Joy, K.I. (1999), Simplification of tetrahedral
meshes with error bounds, IEEE Transactions on Visualization and Computer
Graphics 5(3), pp. 224-237.
[Henzinger-Sastry98]
T. A. Henzinger and S. S. Sastry, “Hybrid Systems: Computation and Control”,
Springer Verlag Lecture Notes in CS, Vol. LNCS 1386, 1998.
[TLS00]
C. J. Tomlin, J. Lygeros and S. Sastry, “A Game Theoretic Approach to
Controller Design for Hybrid Systems”, Proceedings of the IEEE, Special Issue
on Hybrid Systems, Vol. 88, July 2000, pp. 949-970.
[HQR00] T. Henzinger, S. Qadeer and S. Rajamani,
“Decomposing refinement proofs using assume guarantee reasoning, “ Proceedings
of the IEEE/ACM Conference on Computer Aided Design, ICCAD 2000, pp. 245-252.
[1] J. M. Christensen and J. M. Howard. Field Experience in Maintenance. Human Detection and Diagnosis of System Failures: Proceedings of the NATO Symposium on Human Detection and Diagnosis of System Failures, J. Rasmussen and W. Rouse (Eds.). New York: Plenum Press, 1981, 111–133.
[2] S. Fisher. E-business redefines infrastructure needs. InfoWorld, 7 January 2000. Available from www.inforworld.com.
[3] J. Gray. Why Do Computers Stop and What Can Be Done About It? Symposium on Reliability in Distributed Software and Database Systems, 3–12, 1986.
[4] J. Hamilton. Fault Avoidance vs. Fault Tolerance: Testing Doesn’t Scale. High Performance Transaction Systems (HPTS) Workshop, Asilomar, CA, 1999.
[5] C. Perrow. Normal Accidents: Living with High-Risk Technologies. Princeton, NJ: Princeton Press, 1999.
[6] B. H. Kantowitz and R. D. Sorkin. Human Factors: Understanding People-System Relationships. New York: Wiley, 1983.
[7] D. R. Kuhn. Sources of Failure in the Public Switched Telephone Network. IEEE Computer 30(4), April 1997.
[8] J. Menn. Prevention of Online Crashes is No Easy Fix. Los Angeles Times, 2 December 1999, C-1.
[9] B. Murphy and T. Gent. Measuring System and Software Reliability using an Automated Data Collection Process. Quality and Reliability Engineering International, 11:341–353, 1995.
[10] A. Brown, G. Kar, and A. Keller. An Active Approach to
Characterizing Dynamic Dependencies for Problem Determination in a Distributed
Environment. To appear in Proceedings of the Seventh IFIP/IEEE International
Symposium on Integrated Network Management (IM VII), Seattle, WA, May 2001.
[11] A. Brown and D. A. Patterson. Towards Availability Benchmarks: A
Case Study of Software RAID Systems.
Proceedings of the 2000 USENIX Annual Technical Conference, San Diego,
CA, June 2000.
[12] Arpaci-Dusseau, R.;
Anderson, E.; Treuhaft, N.; Culler, D.; Hellerstein, J.; Patterson, D.; Yelick,
K. Cluster I/O with River: Making the
Fast Case Common, Proc. IOPADS '99:
Sixth Workshop on I/O in Parallel and Distributed Systems, Atlanta, Georgia,
May 5, 1999.
[Newman 00] Newman, M.W. and J.A. Landay. Sitemaps,
Storyboards, and Specifications: A Sketch of Web Site Design Practice as
Manifested Through Artifacts. In Proceedings of ACM Conference on Designing Interactive Systems. New York
City. pp. 263-274, August 2000.
[Elliott 00]
Elliott, A. and Hearst, M. How Large Should a Digital Desk Be?Qualitative
Results of a Comparative Study in the Proceedings of CHI'00, Conference
Companion, The Hague, Netherlands, 2000.
[Hong 01]
Hong, J.I. and J.A. Landay, An Infrastructure Approach to Context-Aware
Computing. Human-Computer Interaction, 2001. 16(2).
[Hearst 99]
Hearst, M., User Interfaces and Visualization, in Modern Information Retrieval,
Baeza-Yates and Ribeiro-Neto (Eds), Addison-Wesley Longman, 1999.
[Glaser 99]
Glaser, D. and Hearst, M. Space Series: Simultaneous display of spatial and temporal data, IEEE Symposium on Information Visualization, October 1999.
[Yee 01]
Yee, P., Dhamija, R., Fischer, D., Hearst, M., Animated Exploration of Graphs
with Radial Layout, Submitted for publication, 2001.
[Olston 98]
Olston, C., Woodruff, A., Aiken, A., Chu, M., Ercegovac, V., Lin, M., Spalding,
M., Stonebraker, M. DataSplash, SIGMOD 1998, Seattle, Washington, June 1998.
[Avnur 98]
Avnur, R., Hellerstein, J., Lo, B., Olston, C., Raman, B., Raman, V., Roth, T.,
Wylie, K. CONTROL: Continuous Output and Navigation Technology with Refinement
On-Line, SIGMOD 1998, Seattle, Washington, June 1998.
CITATIONS 1.1
A. Perrig, R. Canetti, J. D. Tygar, D. Song. "Efficient Authentication and Signing
of Multicast Streams over Lossy Channels". In Proceedings of the 2000 IEEE Symposium on Security and
Privacy, May 2000, pages 56 - 73.
A. Perrig, R. Canetti, D. Song, J. D. Tygar. "Efficient and Secure Source
Authentication for Multicast". In
Proceedings of the Internet Society Network and Distributed System Security
Symposium, February 2001.
CITATIONS 1.2
http://tinyos.millennium.berkeley.edu/
J. M. Kahn, R. H. Katz and K. S. J. Pister. "Mobile
Networking for Smart Dust". ACM/IEEE Intl. Conf. on Mobile Computing and
Networking (MobiCom 99), Seattle, WA, August 17-19, 1999.
CITATIONS 1.3
A. Perrig, D. Song, J. D. Tygar. "ELK:
A New Protocol for Efficient Large-Group Key Distribution". To appear in Proceedings of the 2001 IEEE
Symposium on Security and Privacy, May 2001.
CITATIONS 2.1
National Research Council Committee on Information
Systems Trustworthiness. Trust in
Cyberspace. National Academy Press, 1999.
J. D. Tygar, A. Whitten. "Why Isn't the Internet Secure Yet?" In ASLIB Proceedings, Volume 52, Number 3,
March 2000, pages 93-97.
L. J. Camp, J. D. Tygar. "Protecting privacy while preserving access to data".
In The Information Society, Volume 10, Number 1, January 1994, pages 59-71.
CITATIONS 2.2
[Pam Samuelson may provide additional citations]
CITATIONS 3
[David Wagner may provide additional citations]
CITATIONS 4
[Pam Samuelson may provide additional ciations]
Archer, G.C., Fenves, G.L., Thewalt, C. (1999).“A New Object-Oriented Finite Element Analysis Program Architecture”, Computers & Structures, 70(1), pp. 63-75.
Arici, Y. and K. M. Mosalam, (2000) System Identification and Modeling of Bridge Systems for Assessing Current Design Procedures, Proceedings of SMIP2000 Seminar, Sept. 14, Sacramento, CA
Baise, L.G., and Glaser, S.D. (2000), Repeatability of Site Response Estimates Made Using System Identification, Bulletin of the Seismological Society of America, 90(4), pp. 993-1009.
Beck, J.L. (1978). Determining Models of Structures from Earthquake Records. Earthquake Engineering Research Laboratory 78-01. California Institute of Technology.
Beck, J.L., and Katafygiotis, L.S. (1998). Updating Models and Their Uncertainties. I: Baysian Statistical Framework, Journal of Engineering Mechanics, 124(4), p. 455.
Buika, J. et al. (1998). “Advances in Scientific and Engineering Post-Earthquake Operational Response and Disaster Intelligence,” Proceedings, Sixth U.S. National Conference on Earthquake Engineering.
Farrar, C.R. and Doebling, S.W., (1997) Lessons Learned from Applications of Vibration-Based Damage Identification Methods to Large Bridge Structures, Proc. of the International Workshop on Structural Health Monitoring, Stanford, CA, Sept 1997, pp. 351-370.
Farrar, C.R., Doebling, S.W., Nix, D.A., (2001) Vibration-Based Structural Damage Identification, Philosophical Transactions of the Royal Society: Mathematical, Physical & Engineering Sciences, 359(1778), pp. 131 – 149
DesRoches, R., Fenves, G.L. (1997). “Evaluation of Recorded Earthquake Response of a Curved Highway Bridge”, Earthquake Spectra, 13(3), pp. 363-386.
Glaser, S.D., and Baise, L.G. (2000), System Identification Estimation of Damping and Modal Frequencies at the Lotung Site, Soil Dynamics and Earthquake Engineering, 19(6), pp. 521-531.
Heaton, T. (1996). “ The TriNet Project,” Proceedings, Eleventh World Conference on Earthquake Engineering, Elsevier Science Ltd.,Paper No. 2136.
Hjelmstad, K. D.; Banan, M. R.; Banan, M. R. “On Building Finite Element Models of Structures from Modal Response,” Earthquake Engineering & Structural Dynamics, 24(1), pp. 53-67.
Lin, J.-S. and Zhang, Y. (1994). Nonlinear structural identification using extended Kalman filter. Computers and Structures, 52(4), p.757.
McConnell, K.G. (1995) Vibration Testing: theory and practice, Wiley, p. 606.
McKenna, F., Fenves, G.L. (2000). “An Object-Oriented Software Design for Parallel Structural Analysis”, Advanced Technology in Structural Engineerings, Structures Congress 2000, ASCE.
NRC (1999). Reducing Disaster Losses Through Better Information, Board of Natural Disaster, National Research Council.
Safak, E. (1997). Propagation of Seismic Waves in Tall Buildings. Tall Buildings for the 21st Century (Proceedings of the 4th Conference on Tall Buildings in Seismic Regions), 129-154.
Scrivner, C., Worden, C.B. Wald, D.J. (2000). “Use of TriNet ShakeMap to Manage Earthquake risk,” Proceedings, Sixth International Conference on Seismic Zonation: Managing Earthquake Risk in the 21st Century, EERI.
Sohn, H., Law, K.H. (1997). “Bayesian Probabilistic Approach for Structure Damage Detection,” Earthquake Engineering & Structural Dynamics, 26(12), pp. 1259-1281.
Stewart,J.P, Fenves, G.L. ((1998) “System Identification for Evaluating Soil-Structure Interaction Effects in Buildings from Strong Motion Recordings”, Earthquake Engineering and Structural Dynamics, 27(8), pp. 869-885.
Smyth, A.W., Masri, S.F., Chassiakos, A.G., and Caughey, T.K. (1999). On-Line Parameter Identification of MDOF Nonlinear Hysteretic Systems, Journal of Engineering Mechanics, 125(2), p. 133.
TriNet (2001). “TriNet: Seismic System for Southern California,” http://www.trinet.org/.
Udwadia, F. E. (1985). Some Uniqueness Results Related to Soil and Building Structural Identification, SIAM J. Applied Math., 45(4), p. 674.
Werner, S.D., Crouse, C.B., Katafygiotis, L.S., and Beck, J.L. (1994) Use of strong motion records for model evaluation and seismic analysis of a bridge structure, Proceedings of the Fifth U.S. National Conference on Earthquake Engineering, 1, 511-520.
[DE1](See Tiny OS and DC NEST)
power-aware, concurrency-intensive evnet-driven operation
multiple concurrent specialized activities
in situ programming