This thesis presents Media over Multipath QUIC (MoMQ), a design that extends Media over QUIC Transport (MoQT) with multipath-aware object delivery. The core contribution of MoMQ is a rule-based mechanism that allows endpoints to install object-to-path mapping rules, enabling relays to schedule media objects across multiple network paths according to application-level delivery preferences. These rules operate on generic object metadata, allowing relays to remain application-agnostic while supporting fine-grained, semantics-aware media distribution.

The motivation for MoMQ stems from the limitations of single-path transport for emerging real-time media applications. High-resolution video, ultra-low-latency cloud gaming, and high-frame-rate video conferencing increasingly approach the performance limits of a single network path. Multipath QUIC provides a standards-compliant transport substrate that can aggregate heterogeneous network resources and improve resilience, making it a necessary building block for future real-time media systems.

However, transport-layer-only multipath scheduling is insufficient to meet the strict latency and quality requirements of real-time media without guidance from application semantics.

MoMQ bridges this gap by exposing a controlled interface through which applications can express delivery preferences, while preserving MoQT’s decoupled relay architecture. As a result, MoMQ can flexibly support diverse real-time applications, including live streaming and video conferencing, without binding relays to specific application logic.

To evaluate the proposed design, this thesis analyzes the stringent requirements of video conferencing under advanced encoding strategies such as Scalable Video Coding (SVC) and derives MoMQ scheduling policies accordingly. A prototype system is implemented and deployed in a real-world multipath environment consisting of a terrestrial WiFi link (representative of typical 4G LTE characteristics) and a Low Earth Orbit (LEO) satellite link. Transport-only baseline measurements confirm that existing multipath schedulers fail to improve upon single-path tail latency, motivating the need for application-level scheduling guidance. Four declarative MoMQ rules addressing P-frame interleaving, reconfiguration avoidance, dependency co-location, and cost-sensitive path preference collectively reduce P99.9 frame completion time by 39% compared to the best single-path baseline and by 63% compared to the best transport-only multipath scheduler, while routing only approximately 8% of traffic over the metered backup path. ... Read more

Modern cellular networks are tasked to deliver guaranteed performance for a wide array of users that increasingly demand higher throughput and reliability, lower latency, seamless connectivity, ubiquitous coverage, energy efficiency, fairness, and security, to name a few. To meet these demands, networks are becoming increasingly complex, combining diverse deployments and multiple radio access technologies that are envisioned to extend beyond 5G. At the same time, the resources (e.g., spectrum, energy, capacity) needed to serve all users are limited and expensive; and control decisions, such as mobility and resource allocation, often require trading throughput with other user-perceived performance metrics such as lower delays, signaling/communication costs, and failure risks.

In these environments where traffic patterns change rapidly, signal qualities fluctuate unpredictably and cost/availability of resources is uncertain, it becomes apparent that static control rules and legacy mechanisms built on heuristics are poorly suited. In this context, the evolution of mobile network architectures, particularly the emergence of open Radio Access Network (RAN), represents a necessary and enabling change. The O-RAN Alliance, for example, is a global initiative aimed at softwarizing and standardizing RANs to improve their performance, reduce costs, and lower the entry barrier for a broader vendor ecosystem. It enables scalable, datadriven control loops that can be implemented centrally by intelligent controllers and enforced at different time scales, namely, near-real-time (near-RT) and non-real-time (non-RT). In this way, it becomes possible to embed online learning solutions in the RAN itself, where data are collected and used for effective and robust learning.

This dissertation responds to these challenges by developing online (meta-) learning algorithms for two coupled control layers in O-RAN: (i) mobility management (via user-cell association and traditional/conditional handovers) and (ii) resource allocation (via threshold, non-RT policies) for virtualized base stations. Online learning provides a principled way to make sequential decisions under uncertainty, and online meta-learning enables the system to combine various (online) learners, each tailored for different environments, achieving both effectiveness, which translates to high performance under all conditions, as well as robustness, which ensures this high performance without knowing precisely the conditions. All proposed methods deliver operation guarantees under all conditions (from stationary to even adversarial dynamics), as well as practical gains on country-scale operator data and O-RAN-compatible testbeds.
... Read more

Large Language Models (LLMs) have shown impressive performance in various domains, including software engineering. Code generation, a crucial aspect of software development, has seen significant improvements with the integration of AI tools. While existing LLMs have show very good performance in generating code for everyday tasks, their application in industrial settings and domain-specific contexts remains largely unexplored. This thesis investigates the potential of LLMs to generate code in proprietary, domain-specific environments, with a specific focus on the leveling department at ASML. The primary goal of this research is to assess the ability of LLMs to adapt to a domain they have not encountered before and to generate complex, interdependent code in a domain-specific repository. This involves evaluating the performance of LLMs in generating code that meets the specific requirements of ASML. To achieve this, the thesis investigates various prompting techniques, compares the performance of generic and code-specific LLMs, and examines the impact of model size on code generation capabilities. To evaluate the code generation capabilities of LLMs in repository-level scenarios, we introduce a new performance metric, build@k, designed to measure the effectiveness of generated code in compiling and building projects. The results showed that both prompting techniques and model size have a substantial influence on the code generation capabilities of LLMs. However, the performance difference between code-specific and generic LLMs was less pronounced and varied substantially across different model families. ... Read more

Frequent route changes in modern SDN-based net works are known to severely degrade the performance of TCP Cubic. This degradation is caused by two factors: sudden RTT changes, and packet reordering which Cubic misinterprets as congestion. This research investigates how a modern alter native, BBRv3, performs under these same conditions. Using ns-3 simulations with rerouting intervals of 3, 5, and 10seconds, we show that BBRv3is significantly more resilient. While Cubic through put is reduced by nearly 50% at 3-second intervals, BBRv3 performance degrades by less than 10%, as its probing mechanism does not use packet re ordering as a congestion signal. We also examined a second scenario where a flow leaves a saturated link. We concluded Cubic flows take much longer to fill the newly freed up bandwidth, as much as 8 seconds for a 25% increase in available bandwidth. BBR performs much better as its able to recognize that the link is not saturated during its next probing phase and mediately fill it. Therefore, we conclude that BBRv3 is better suited for the dynamic network conditions found in SDN environments ... Read more

The Low-Latency, Low-Loss, ScalableThroughput (L4S) service aims to support real-time applications by enabling high throughput with sub-millisecond queueing delay. It combines
scalable ECN-based congestion control (e.g., TCP Prague) with a Dual-Queue AQM such as DualPI2 to separate low-latency and classic traffic.
This paper evaluates how L4S behaves under stressful network conditions using an extended ns-3
testbed with DualPI2, TCP Prague, and ECNenabled BBRv3. We test five scenarios: RTT jitter, bandwidth shifts, mixed traffic, wireless loss, and scalable-to-scalable coexistence.
Our results show that TCP Prague consistently delivers low delay and stable throughput, whereas
legacy TCP Cubic shows elevated and more variable delay—especially under jitter and in shared
queues. ECN-BBRv3 coexists cleanly with Prague, but when Cubic and Prague share a queue, Prague dominates bandwidth. L4S thus meets its latency goals, but fairness with classic TCP remains an open issue.
... Read more

Most TCP data transfers in the Internet are short. This makes the startup algorithms an important factor that impacts TCP performance. Several startup algorithms have been developed. However, not a lot of research has been conducted into how these behave and interact when used for short flows. This paper aims to provide a thorough evaluation of these algorithms and their interactions under different network conditions, focusing on short flows and using ns-3. We have observed that JumpStart seems to outperform the other algorithms used when it comes to flow completion time for short flows. That is likely because it starts to send data with an aggressive initial congestion window and the flow is finished after the first few RTTs. However, JumpStart performs more poorly when the flows are longer. We have shown that JumpStart has a great potential to make communication more efficient in the Internet but further research has to be conducted into its behavior in more adversarial conditions that represent real life situations better. ... Read more

Modern TCP congestion control algorithms rely on timely ACK feedback to adjust their parameters. However, some networks deliberately suppress ACKs. This study uses the ns-3 simulator to experiment with the impact of suppressing ACKs on the reverse path on four TCP variants (BBRv3, Cubic, NewReno, Vegas) in both wired and wireless dumbbell topologies. In wired experiments, we implement a custom queue that allows us to test fixed aggregation ratios at the transport-layer. In wireless scenarios, we utilize the IEEE 802.11n standard’s MAC-layer aggregation schemes (A-MSDU, A-MPDU), both individually and in combination, and also evaluate varying maximum A-MPDU aggregation sizes. Our results show that while transport-layer aggregation can degrade performance and fairness, especially for BBRv3 and Cubic, MAC-layer aggregation consistently improves throughput without destabilizing TCP behaviour. NewReno demonstrates strong resilience across both setups, while Vegas exhibits highly inconsistent performance. These findings highlight the importance of aligning aggregation
mechanisms with congestion control strategies carefully. ... Read more

The Transmission Control Protocol (TCP) remains the cornerstone of modern network communication, enabling reliable and ordered data delivery across a wide range of network environments. Despite its ubiquity, TCP’s variants’ performance under extreme and highly variable network conditions remains insufficiently explored. This paper investigates the behavior of two common TCP variants - CUBIC and BBRv1 - when subjected to dynamic bandwidth and delay fluctuation. Such conditions are increasingly common in real-world wireless networks and can have a significant impact on TCP flows. We conduct a series of tests using the ns-3 framework, employing a dumbbell topology to simulate wireless connections. The results of 6 different testing scenarios are presented. They showcase that both algorithms experience significant packet loss in the event of bandwidth variance in-transmission, with BBRv1 adapting to these changes better, but not dominating over CUBIC in a multi-flow connection. In addition, both TCP variants experience harsh throughput drops and lose very few packets in the event of delay spikes. When faced with both delay and bandwidth variance, BBRv1 experiences high packet loss while CUBIC’s connection remains stable.
... Read more

Over the years, the web has slowly been moving towards more security. This is done to ensure integrity, authenticity, and confidentiality of the communication between clients and servers. The most significant improvement to the security on the web has been HTTPS, which provides secure communication using encryption. However, downgrade attacks can bypass HTTPS entirely by reverting the communication to the insecure HTTP protocol. HSTS is the primary defense against such attacks. However, previous research has uncovered numerous vulnerabilities in the HSTS protocol, particularly those that allow attackers to disable HSTS by invalidating its state and a method that uses HSTS headers to enable websites to track users.

In this thesis, we present HSTS-Enforced, an alternative to traditional HSTS. HSTS-Enforced effectively prevents downgrade attacks by employing a Secure-by-Default approach. Website administrators can explicitly opt out of security by specifying an HTTP-Required indicator. We propose two indicators: a new DNSSEC record and the HTTP-Required Preload list.

We demonstrate the effectiveness of HSTS-Enforced, through the creation and validation of a protocol implementation encompassing both client and server-side components. Our evaluation reveals that HSTS-Enforced eliminates the vulnerabilities found in conventional HSTS. Additionally, we show that while enhancing security, HSTS-Enforced imposes a minimal load on all involved components (i.e., client, network, and server). ... Read more

The inability to check how our Internet traffic is being handled and routed poses all kinds of security and privacy risks. Yet, for the typical end-user, the Internet indeed is such a black box. This thesis, adheres to the call for an Internet that is more transparent, and as a step forward proposes a mechanism that carefully balances the desire to share transparency information with the necessity to not expose all internal details of a network. Presented work realises this by building on the framework of multi-party computation. Proposed architecture and corresponding proof-of-concept is evaluated via experiments and demonstrates the feasibility of the concept to improve Internet transparency. ... Read more

Online gaming is the world’s largest entertainment industry by revenue, and supports over 3 billion consumers worldwide. Many of the world’s most popular online games must manage millions of concurrent players through a single unified service. Achieving performant and scalable online games is challenging. Online games are subject to stringent quality of service requirements, notably extremely low response times, with at most 50ms being considered acceptable. Unlike many other types of applications, the performance of online games depends to a large degree on the resources available on end-user devices. These devices are typically heterogeneous, limited in compute and network resources, and subject to unpredictable changes in resource availability.
Addressing this challenge, we propose in this work the concept of differentiated deployment, which allows online games to selectively manage and scale online-game systems with fine granularity in response to changes in available resources. We design Polka, a framework for online games which supports differentiated deployment. We then implement PolkaDOTS, an open-source proof of concept of the Polka framework built in an industry standard game development ecosystem.
We evaluate our approach using Dither, a custom-built experiment runner for large scale distributed experiments on online games. We use Dither to perform real-world experiments on a representative Minecraft-like Game, Opencraft 2, built on the PolkaDOTS stack, and analyze the impact of various differentiated deployment scenarios. From these experiments, we find that differentiated deployment can decrease performance variability of online-game servers, and decrease the response time experienced by players by up to 32%. Most importantly, we show that differentiated deployment enables novel deployment techniques, including switching from local rendering to cloud-based rendering (i.e., cloud gaming) at runtime. ... Read more

The versatility of the internet enables many applications that play an increasingly bigger role in our society. However, users have little control over the route that their internet traffic takes, which prevents them from controlling who sees their packets and how their traffic is handled. Researchers have proposed an extension to the internet, called the responsible internet, that aims to provide users with control over the route that their internet traffic takes.
Providing this control is the aim of this thesis. Users can control their route by specifying requirements that their route has to fulfill. This thesis defines the Maximum Path Requirement Intersection (MPRI) problem as the problem of finding the route that satisfies as many of the user’s requirements as possible, and this thesis proves that MPRI is NP-hard. Subsequently, both a heuristic to solve the problem in a reasonable amount of time as well as an exact algorithm that guarantees to find the globally best path are introduced. The performance of the heuristic is measured relative to the globally optimal solution given by the exact algorithm. Results show that less features allow the heuristic to have a larger search space, which improves the results; that the runtime of the heuristic scales polynomially in the number of hops between the start and end node; that the heuristic is most effective in graphs that have a power-law degree distribution and least effective in grid-like graphs; and that in a realistic setting the heuristic runs quickly while performing close to optimal. ... Read more

The rapid evolution of 5G technology has paved the way for the proliferation of resource-constrained Internet of Things (IoT) devices, collectively known as ambient IoT. While these devices offer unprecedented opportunities for connectivity and data collection, their limited computational capabilities present significant challenges in implementing robust security measures. This thesis addresses these challenges by proposing two novel lightweight security protocols tailored for ambient IoT devices within 5G networks.

The first protocol, "Lightweight security protocol instantiated using ASCON", leverages the ASCON family of cryptographic functions to ensure essential security properties while adhering to the constraints of ambient IoT devices. The protocol’s effectiveness is evaluated through simulations, focusing on computational efficiency compared to existing solutions.

The second protocol, "Data container-based security protocol", adopts a container-based approach to enhance interoperability and standardization across diverse ambient IoT device applications. This protocol facilitates seamless integration and compatibility among ambient IoT systems by encapsulating authentication and communication data within generic containers. The benefits of this approach are analyzed theoretically, highlighting its potential for standardization in heterogeneous 5G environments.

Together, these lightweight security protocols contribute to developing a secure and efficient ecosystem for ambient IoT devices within 5G networks. By addressing the challenges posed by resource-constrained devices and promoting interoperability, this thesis aims to enhance security and facilitate the widespread adoption of ambient IoT technologies in our increasingly connected world. ... Read more

An all-important step in the ambitious pursuit towards autonomous networks has been the introduction of Software Defined Networking which has advocated the concept of separating a network’s control plane from the data plane and creating a programmable controller with a wider view of the network. This innovation proved to be very promising, but the non-programmable data plane quickly became a limitation. 
The next step was brought by the emergence of the programmable switch architecture and P4, a language specifically designed for defining the behaviour of programmable network devices. P4 is a remarkably powerful language that allows the software developer to define almost any packet-processing functionality, all while abstracting away from the specifics of the target’s hardware architecture.
Despite its many benefits, P4 brings with it an additional layer of complexity for the network administrators, which may find themselves overwhelmed by having to learn a new programming language.
This report tackles this issue by presenting a prototype that is capable of synthesizing small P4 programs from pairs of input & output packets. Under the hood, the proposed solution uses a bottom-up enumerative synthesizer called Probe. This synthesizer was re-implemented, improved, and tailored to leverage the particularities of the problem domain.
... Read more

The ongoing digitalization of the world, estimated to reach a yearly data generation of 200 Zettabytes by 2025, is putting increasing pressure on system developers to provide systems capable of scaling with future needs. Of particular importance are the data storage systems, providing the means of storing and retrieving the vast amounts of data. One widely adopted storage technology, predicted to become the leading media for future data storage, is flash-based solid state drives (SSD). The complex architecture of flash SSD however introduces several challenges, such as necessary garbage collection, for managing the flash storage. To readily integrate flash SSD into storage systems, the flash management idiosyncrasies are hidden inside the storage device. The hiding of the flash management idiosyncrasies has however been identified to have significant performance implications. As a result, numerous efforts have pushed towards more open flash storage interfaces, with the most recent addition of Zoned Namespace (ZNS) flash SSD. ZNS SSD presents a unique opportunity for storage software and the flash SSD to coordinate the flash management responsibilities.

While the open flash storage interface of ZNS presents a plethora of opportunity in software optimization, current software support is in its early stages, leaving much of its potentials yet to be explored. In this work, we present msF2FS (multi-streamed F2FS), a file system with optimized ZNS integration, based on the de facto standard flash file system F2FS. msF2FS enhances the ZNS integration by leveraging the parallelism capabilities of ZNS SSD, and increasing the coordination between the file system and applications for data placement decision-making. The data placement coordination between file system and application reduces the sub-optimal data placement decisions made by the file system. Evaluations of msF2Fs show the benefit of the application and file system coordination, with the RocksDB application achieving up to 23.19% higher throughput as a result of optimized data placement. We make all developed code of msF2FS publicly available at https://github.com/nicktehrany/msF2FS.
... Read more

Intent-based Networking (IBN) is one of the hot topics of research in the modern field of networking. Abstracting the complexity of network management away from the network operator through automation is the cornerstone of the IBN concept. However, a lot of current research on intent-based networking is concentrated towards programmable software defined networks (SDN), rather than traditional non-programmable network devices which still hold a large market share in modern networks. Moreover, when it comes to traditional network devices, network validation becomes very crucial as it needs a endoragnostic environment to evaluate the network. This thesis studies the important aspects necessary for IBN adaptation for legacy devices and provides a solution for adaptation into modern networks, while being vendor-agnostic. Based on the design, the results obtained from the proofs-of-concept are then analyzed and concluded upon, ending by elucidating avenues of future work. ... Read more

As a result of a global pandemic, there has been an increasing interest in tools for remote video conferencing and collaboration. One of these new innovations is social eXtended Reality (XR). By combining Virtual Reality (VR) and Augmented Reality (AR) technologies, social XR can provide a more immersive experience than any other VR application by giving users at different locations the chance to virtually gather in real-time. But such applications impose enormous requirements on computational and communication resources. 5th Generation (5G) mobile networks are targeted as solution to provide ultra-low latency and ultra-high throughput for social XR. In current research, many optimisations are aimed at VR applications such as on-demand streaming, while there is a lack of solutions for real-time user-interactive applications like social XR. In this graduation project we develop and assess cross-layer solutions for optimised scheduling of social XR applications in 5G networks. An existing framework for simulating social XR conference applications serves as the basis for our modelling approach. We devise different schedulers, that utilise cross-layer information in the form of the video frametype and frame-level End-to-End (E2E) latency budgets rather than packet-level latency budgets purely within the Radio Access Network (RAN). In contrast to previous work, we create the VR traffic based on real video data and develop tools to model the packet dispersion caused by multi-hop transmission over the internet towards the RAN. We study the effect of various system and traffic parameters on the Quality of Service (QoS) and perceived Quality of Experience (QoE) in the context of social XR applications through an extensive sensitivity analysis. Herein we also assess the performance impact of different types of cross-layer packet schedulers. Further, we gain insights into the correlation between the network QoS and perceived QoE by end users which are the key in future cross-layer implementations for social XR. ... Read more

P4 programmable data-planes provide operators with a flexible method to set up data-plane forwarding logic. To deploy networks with confidence, a switch's forwarding logic should correspond with its intended behavior. Programs loaded onto programmable data-planes don't necessarily go through as much testing as traditional fixed-function devices from large manufacturers. Security is therefore of utmost importance.

The main question this research attempts to answer, is whether a single compromised P4 switch can corrupt the entire (P4) network. In this scenario the attacker already has access to the compromised switch, and the assumption is made that all devices blindly trust each other. Two load balancing schemes are investigated, Clove-ECN and HULA. The former performs load balancing on the hosts, and results show that switches can transparently influence traffic flow by manipulating the ECN bits. The latter is designed for implementation on the data-plane, e.g. using P4, and we can conclude that HULA is susceptible to attacks by spoofing probe packets with false data. ... Read more

After software defined networking (SDN) separated the control-plane from the dataplane, P4 was proposed as a solution to be able to program the data-plane. The programmable data plane (PDP) is very useful to alter the behaviour of programmable network devices. The drawback, however, is that without virtualization only one single P4 program can run at a time on the PDP. Compiler based and hypervisor based approaches can be used to virtualize the P4 data-plane to let P4 programs run alongside each other. This increases the flexibility when compared to P4, but can potentially come with added risks. Hypervisor based approaches share resources, while compiler based approaches try to minimize the sharing of resources. This opens up hypervisor based approaches, like HyperVDP and Hyper4, to attacks from a corrupt P4 program. Because of the resource sharing, when one of the virtualized P4 programs in HyperVDP is corrupted, there potentially is a risk that the other virtualized programs also get influenced. This paper will attempt to answer the question; can a malicious P4 program corrupt behaviour of another P4 program while running alongside each other. This will be done by laying out a method to answer this question using HyperVDP. A repository containing the updated source code of HyperVDP will also be created and provided to allow for a stable framework. ... Read more

DDoS attacks are becoming more common and sophisticated. Only recently, in 2017, Google claims they have mitigated an attack which sent 2.54 Tbps of traffic to their servers. In order to prevent these attacks, more and more robust defence mechanisms need to be put in place to withstand the malicious traffic and secure the networks. Programmable data planes allow the users to specify which rules the headers of a packet need to follow and what happens if they are different. With this freedom, achieving more secure networks becomes possible. The use of the programming language P4 makes it easy to modify the functionality of the switches and limit the behaviour of the network in order to reduce the attack surface.
This paper describes certain attacks and mitigation techniques for them, such as DoS attacks and SYN-flood attacks. The paper will list existing defence techniques and enumerate their advantages and drawbacks. There will be two proof of concept detection and mitigation techniques in P4, and these implementations will be compared to already existing ones. The P4 implementations will be provided as well as comparison and performance graphs. ... Read more