154 (IJCNS) International Journal of Computer and Network Security,

Vol. 2, No. 6, June 2010

Session Based Load Optimization Techniques to

Enhance Security & Efficiency of E-commerce
Transactions
R.K. Pateriya1, J.L. Rana2 and S.C. Shrivastava3
1
Associate Professor , Department of Information Technology,
Maulana Azad National Institute of Technology (MANIT) Bhopal, India
pateriyark@gmail.com
2
Professor , Department of Computer Science and Engineering,
Maulana Azad National Institute of Technology (MANIT) Bhopal, India
jl_rana@yahoo.co.in
3
Professor , Department of Electronics Engineering,
Maulana Azad National Institute of Technology (MANIT) Bhopal, India
scs_manit@yahoo.co.in

Abstract: Today internet based e-commerce has become a
trend and business necessity. Secure Socket layer (SSL) is the
world standard for cyber security. A SSL session contains
temporally and logically related request sequences from the
same client. In e-commerce session integrity is a critical metric.
Overload on server can lead e-commerce applications to
considerable revenue losses, response times may grow to
unacceptable levels and as a result the server may saturate or
even crash .Session based admission control techniques is able
to control the server load . The purpose of this paper is to review
about various session based admission control techniques to
avoid server overload. Overload control is a critical goal so that
a system can remain operational even when the incoming
request rate is several times greater than the system capacity
and this admission control mechanism based on session will
maximize the number of sessions completed successfully,
allowing e-commerce sites to increase the number of
transactions completed, generating higher benefits and
optimizes performance.
Keywords: Admission control, Application servers,
Overload control, Service differentiation
1. Introduction
E-Commerce is a growing phenomenon as consumers gain
experience and comfort with shopping on the Internet .Most
of e-commerce web sites applications are session-based.
Access to a web service occurs in the form of a session
consisting of a sequence of individual requests. Placing an
order through the web site involves further requests relating
to selecting a product, providing shipping information,
arranging payment agreement and finally receiving a
confirmation. So for a customer trying to place an order or a
retailer trying to make a sale, the real measure of a web
server performance is its ability to process the entire
sequence of requests needed to complete a transaction. The
higher the number of sessions completed the higher the
amount of revenue that is likely to be generated as discussed
in [3]. Sessions that are broken or delayed at some critical
stages, like checkout and shipping, could mean loss of
revenue to the web site. Security between network nodes
over the Internet is traditionally provided using Secure
Socket Layer (SSL). It is commonly used for secure http
connections where credit card information is going to be sent along
a network and this gives e-commerce the confidence it needs
to allow on-line banking and shopping.. SSL provides and
encrypted bi-directional data stream, data is encrypted at the
sender's end and decrypted at the receiver's end. It can
perform mutual authentication of both the sender and
receiver of messages and ensure message confidentiality.
This process involves certificates that are configured on both
sides the connection. Although providing these security
capabilities does not introduce a new degree of complexity
in web application structure, it increases remarkably the
computation time needed to serve a connection, due to the
use of cryptographic techniques, becoming a CPU intensive
workload.
Two problems are typically encountered with deploying e-
commerce Web sites presented in [1,2]. First is overload,
where the volume of requests for content at a site
temporarily exceeds the capacity for serving them and
renders the site unusable. Second is responsiveness, where
the lack of adequate response time leads to lowered usage of
a site and subsequently, reduced revenues. During overload
conditions, the service’s response times may grow to
unacceptable levels, and exhaustion of resources may cause
the service to behave erratically or even crash causing denial
of services. For this reason, overload prevention in these
applications is a critical issue. Several mechanisms have
been proposed in [1,3,4] to deal with overload, such as
admission control, request scheduling, service
differentiation, service degradation.
Request scheduling refers to the order in which
concurrent requests should be served. A well known form is
queuing theory (SRPT) that shortest remaining processing
time first scheduling minimizes queuing time .Better
scheduling can always be complementary to any other
mechanism .Service differentiation is based on
differentiating classes of customers so that response times of
preferred clients do not suffer in the presence of overload.
Service degradation is based on avoiding refusing clients as
 (IJCNS) International Journal of Computer and Network Security, 155
a response to overload but reducing the service offered to
clients for example in the form on providing smaller
content.
Admission control generally requires two components
knowing the load that a particular job will generate on a
system, and knowing the capacity of that system. By keeping
the maximum amount of load just below the system
capacity, overload is prevented and peak throughput is
achieved discussed in [1,2]. The goal of overload control is
to prevent service performance from degrading in an
uncontrolled fashion under heavy load, it is often desirable
to shed load.
The rest of the paper is organized as follows:
Section II Overview of Session based admission control
(SBAC) techniques. Section III presents SSL connection
differentiation and admission control. Sections IV CPU
Utilization-Based Implementation of SBAC Mechanism.
Section V Adaptive admission control technique. Section
VI Comparative study of SBAC techniques. Section VII
Conclusion.
2. Overview of SBAC Techniques
The Admission control is based on reducing the amount of
work the server accepts when it is faced with overload. For
example, admission control on per request basis may lead to
a large number of broken or incomplete sessions when the
system overloaded Sessions have distinguishable features
from individual requests that complicate the overload
control. Session-based workload gives a new interesting
angle to revisit and re-valuate the definition of web server
performance. It proposes to measure a server throughput as
a number of successfully completed sessions. The reason, for
failure of admission control techniques that work on a per
request basis discussed in [1,2], is because it leads to large
number of broken or incomplete sessions when the system is
overloaded, hence cause revenue loss. Session integrity is a
critical metric in e-commerce.
Research in admission control, can be roughly categorized
under two broad approaches presented in [3,5]: First is
reducing the amount of work required when faced with
overload, and second is differentiating classes of customers
so that response times of preferred clients do not suffer in
the presence of overload. This paper focuses on first
approach by reducing amount of work for admission
control.
There are two desirable, but somewhat contradictory,
properties for an admission control mechanism: stability and
responsiveness discussed in [1,2]. In case, when the server
receives an occasional burst of new traffic, while still being
under a manageable load, the stability, which takes into
account some load history, is a desirable property for
admission control mechanism. It helps to maximize server
throughput and to avoid unnecessary rejection of newly
arrived sessions. However, if a server's load during previous
time intervals is consistently high, and exceeds its capacity,
the responsiveness is very important: The admission control
policy should be switched on as soon as possible, to control
and reject newly arriving traffic. There is a trade-off
between these two desirable properties for an admission
control mechanism.
The following two values help to check an admission
Vol. 2, No. 6, June 2010
control goodness discussed in [1,2]: First is the percentage
of aborted requests, which server can determine based on the
client side closed connections. Aborted requests indicate that
the level of service is unsatisfactory. Typically, aborted
requests lead to aborted sessions, and could serve as a good
warning sign of degrading server performance; second is a
percentage of connection refused messages sent by a server,
in the case of full listen queue. Refused connections are the
dangerous warning sign of an overloaded server and its
inevitable poor session performance. If both of these values
are zero then it reveals that an admission control
mechanism uses an adequate admission control function to
cope with current workload and traffic rate. Good admission
control strategy which minimizes a percentage of aborted
requests and refused connections (ideally to 0) and
maximizes the achievable server throughput .Now in the
following sections we are going to discuss three techniques
of session based admission control and their comparative
study
3. SSL Connection Differentiation and
Admission Control
SSL connections is 7 times lower than when using normal
connections. Based on the SSL connection differentiation, a
session-based adaptive admission control mechanism is
implemented in [3,4] .This mechanism allows the server to
avoid throughput degradation and response time increments
occurred during overload conditions. The server
differentiates full SSL connections from resumed SSL
connections and limits the acceptance of full SSL
connections to the maximum number possible without
overloading the available resources, while it accepts all the
resumed SSL connections. In this way, this admission
control mechanism maximizes the number of sessions
completed successfully, allowing e-commerce sites based on
SSL to increase the number of transactions completed, thus
generating higher benefit .
The SSL protocol fundamentally has two phases of
operation SSL handshake and SSL record protocol. Two
different SSL handshake types can be distinguished
discussed in [3,4 ,9]: The full SSL handshake and the
resumed SSL handshake. Most of the computation time
required when using SSL is spent during the SSL handshake
phase, which features the negotiation between the client and
the server to establish a SSL connection. The full SSL
handshake is negotiated when a client establishes a new SSL
connection with the server, and requires the complete
negotiation of the SSL handshake, including parts that need
a lot of computation time to be accomplished The SSL
resumed handshake is negotiated when a client establishes a
new HTTP connection with the server but resumes an
existing SSL connection, the SSL session ID is reused hence
part of the SSL handshake negotiation can be avoided,
reducing considerably the computation time for performing
a resumed SSL handshake Note their is big difference
between the time to negotiate a full SSL handshake
compared to the time to negotiate a resumed SSL handshake
i.e. (175 ms vs. 2 ms) given in [3,4].
156
A session oriented adaptive mechanism discussed in
[3,4] performs admission control based on SSL connection
differentiation continuously monitors incoming secure
connections to the server, performs online measurements
distinguishing new SSL connections from resumed SSL
connections and decides which incoming SSL connections
are accepted and hence maximizing the number of sessions
successfully completed . This maximum depends on the
available processors for the server and the computational
demand required by the accepted resumed connections.
Following are the definition of variable used in
calculation taken from [3,4]] :K sampling interval (currently
defined as 2 s), O(k) :defined as the number of resumed SSL
connections that arrive to the server during that interval.
CTO: The average computation time entailed by a resumed
SSL connection .CTN: the average computation time
entailed by a new SSL connection . N(k): defined as the
maximum number of new SSL connections that can be
accepted by the server during that interval without
overloading. A(k): defined as the number of processors
allocated to the server. Admission control mechanism
periodically calculates, at the beginning of every sampling
interval k maximum number of new connection allowed.
Since resumed SSL connections have preference with
respect to new SSL connections all resumed SSL
connections are accepted.(O(k) · CTO) is the computation
time required by the already accepted resumed SSL
connections .Hence maximum number of new connection
allowed:
N(k)=(k*A(k)–O(k)*CTO)/CTN (1)
Figure 1. Completed sessions by the original Tomcat with
different numbers of processors
Figure 2. Completed sessions with overload control with
different numbers of processors
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010
Above figure are taken from [3,4] shows considerable
improvement using overload control mechanism as
compared to without overload control policy and maximizes
number of completed session
4. CPU Utilization Based SBAC Mechanism
A simple implementation of session based admission
control is based on server CPU utilization presented in [1,2]
. It measures and predicts the server utilization, rejects new
sessions when the server becomes critically loaded and
sends an explicit message of rejection to the client of a
rejected session.
U_ac (admission control) is threshold which establishes
the critical server utilization level to switch on the
admission control policy);T1; T2; :::; Ti a sequence of time
intervals used for making a decision whether to admit (or to
reject) new sessions during the next time interval, this
sequence is defined by the ac-interval length; F_ac is an ac-
function used to evaluate the predicted utilization and
distinguish two different values for server utilization ;
U_measured(i) is a measured server utilization during;Ti{
the i-th ac-interval}; U_predicted( i+1) is a predicted
utilization computed using a given ac-function f_ac after ac-
interval Ti and before a new ac-interval Ti+1 begins,.
U_predicted(i+1)=f_ac(i+1) (2)
f_ac(1)=U_ac (3)
f_ac(i+1)=(1-k)*f_ac(i)+k*U_measured(i) (4)
where k is a damping coefficient between 0 and 1, and it is
called ac-weight coefficient. which cover the space between
ac-stable and ac-responsive policies. A web server with an
admission control mechanism re-evaluates its admission
strategy on intervals T1; T2; :::; Ti; ::: boundaries. Web
server behavior for the next time interval Ti+1 is defined in
[1,2] in the following way :.If ( U_predicted(i+1) > U_ac)
then any new session arrived during Ti+1 will be rejected,
and web server will process only requests belonging to
already accepted sessions or if ( U_predicted(i+1) < U_ac )
then web server during Ti+1 is functioning in a usual mode:
processing requests from both new and already accepted
sessions. It is the simplest techniques but are not giving very
satisfactory results.
5. Adaptive Admission Control Technique
Predictive admission control strategy and Hybrid
admission policies as discussed in[1,2] allow the design of a
powerful admission control mechanism which tunes and
adjusts itself for better performance across different
workload types and different traffic loads[2].
Predictive admission control strategy evaluates the
observed workload and makes its prediction for the load in
the nearest future. It consistently shows the best
performance results for different workloads and different
traffic patterns. For workloads with short average session
length, predictive strategy is the only strategy which
provides both highest server throughput in completed
sessions and no (or, practically no) aborted sessions.
 (IJCNS) International Journal of Computer and Network Security, 157
Hybrid admission control strategy which tunes itself to be
more responsive or more stable on a basis of observed
quality of service. It successfully combines most attractive
features of both responsive and stable policies. It improves
performance results for workloads with medium to long
average session length.
6. Comparative study of SBAC Techniques
CPU utilization based implementation presented in [1,2]
is the simplest implementation of session based admission
control but can break under certain rates and not work
properly, reason is that the decision ,whether to admit or
reject new sessions, is made at the boundaries of ac-intervals
and this decision can not be changed until the next ac-
interval. However, in presence of a very high load, the
number of accepted new sessions may be much greater than
a server capacity, and it inevitably leads to aborted sessions
and poor session completion characteristics
Hybrid admission control strategy covered in [2] which
tunes itself to be more responsive or more stable on a basis
of observed quality of service. It successfully combines most
attractive features of both ac-responsive and ac-stable
policies. It improves performance results for workloads with
medium to long average session length.
Predictive admission control strategy also covered in [2]
which estimates the number of new sessions a server can
accept and still guarantee processing of all the future session
requests. This adaptive strategy evaluates the observed
workload and makes its prediction for the load in the nearest
future. It consistently shows the best performance results for
different workloads and different traffic patterns. For
workloads with short average session length, predictive
strategy is the only strategy which provides both: highest
server throughput in completed sessions and no (or,
practically no) aborted sessions.
Session-based adaptive overload control mechanism based
on SSL connections differentiation and admission control
presented in [3,4] prioritizes resumed connections
maximize the number of sessions completed and also limits
dynamically the number of new SSL connections accepted
depending on the available resources and the number of
resumed SSL connections accepted, in order to avoid server
overload.
7. Conclusion
SSL is commonly used for secure http connections where
sensitive information is going to be sent along networks. SSL
session integrity is a critical metric in e-commerce.
Overload can lead e-commerce applications to considerable
revenue losses or may cause response times to grow to
unacceptable levels hence overload control is a critical goal.
To meet this goal either apply predictive or hybrid overload
control strategy based on session length which tunes itself
for giving better performance according to different
workload or an alternative approach is to apply SSL
connection differentiation and admission control technique
which prioritizes resumed SSL session over new session for
overload control. These admission control mechanism based on
Vol. 2, No. 6, June 2010
session will maximizes the number of sessions completed
successfully and allow e-commerce sites to increase the number of
transactions completed, therefore help in enhancing security and
performance.
References
[1] L. Cherkasova, P. Phaal “Session Based Admission
Control: a Mechanism for Improving the Performance
of an Overloaded Web Server.” HP Laboratories Report
No. HPL-98-119, June, 1998.
[2] L. Cherkasova, P. Phaal, “Session-based admission
control: A mechanism for peak load management of
commercial websites” IEEE Transactions on
Computers LI (6), pp. 669–685 ,2002.
[3] Jordi Guitart, David Carrera, Vicenç Beltran, Jordi
Torres and Eduard Ayguade “Session-Based Adaptive
Overload Control for Secure Dynamic Web
Applications” In Proceeding of International conf on
Parallel Processing (ICPP) , pp. 341-349, 2005.
[4] Jordi Guitart , Vicenc Beltran , David Carrera , Jordi
Torres , Eduard Ayguade “Designing an overload
control strategy for secure e-commerce applications” LI
(XV), pp. 4492-4510 , 2007.
[5] M. Harchol-Balter, B. Schroeder, N. Bansal, M.
Agrawal, “Size-based scheduling to improve web
performance” ACM Transactions on Computer Systems
, XXI (II) , pp. 207–233 , 2003
[6] D. Mosberger, T. Jin “A tool for measuring web
server performance” Workshop on Internet Server
Performance (WISP’98) in conjunction with
SIGMETRICS’98 Madison, Wisconsin, USA, pp59–
67 , 1998 .
[7] S. Elnikety, E. Nahum, J. Tracey, W. Zwaenepoel,
“A method for transparent admission control and
request scheduling in e-commerce web sites” 13th
International Conference on World Wide Web
(WWW’04), New York, USA, pp. 276–286, 2004
[8] B. Urgaonkar, P. Shenoy, “Cataclysm: Handling
extreme overloads in internet services” Tech. Rep.
TR03-40, Department of Computer Science, University
of Massachusetts, USA, December 2003
[9] H. Chen, P. Mohapatra, “Overload control in QoS-
aware webservers” Elsevier journal Computer Networks
XLII (I) , pp.119–133, 2003
[10] A.O. Freier, P. Karlton, C. Kocher, “The SSL
Protocol.Version 3.0” November 1996. Available:
http://wp.netscape.com/eng/ssl3/ssl-toc.htm
R K Pateriya M.Tech & B.E. in Computer
Science & Engg. and working as Associate
Professor in Information Technology
Department of MANIT Bhopal . Total 17
Years Teaching Experience ( PG & UG ).
158 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010

Dr. J. L . Rana Professor & Head of

Computer Science & Engg deptt. in MANIT
Bhopal .He has received his PhD from IIT
Mumbai & M.S. from USA (Huwaii) .He has
Guided Six PhD.

Dr. S. C. Shrivastava Professor & Head of

Electronics Engg. department of MANIT
Bhopal. He has Guided three PhD , 36
M.Tech and presented nine papers in
international & twenty papers in national
conference in India.