Constant Time Updates in Hierarchical Heavy Hitters

Slides:

Advertisements

Similar presentations

Network Security Highlights Nick Feamster Georgia Tech.

Advertisements

Traffic Engineering with Forward Fault Correction (FFC)

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

Summarizing Distributed Data Ke Yi HKUST += ?. Small summaries for BIG data  Allow approximate computation with guarantees and small space – save space,

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Trafﬁc engineering – Identify large traffic aggregates, traffic changes.

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.

Measuring Large Traffic Aggregates on Commodity Switches Lavanya Jose, Minlan Yu, Jennifer Rexford Princeton University, NJ 1.

IP Telephony Project By: Liane Lewin Shahar Eytan Guided By: Ran Cohen - IBM Vitali Sokhin - Technion.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

Communication-Efficient Distributed Monitoring of Thresholded Counts Ram Keralapura, UC-Davis Graham Cormode, Bell Labs Jai Ramamirtham, Bell Labs.

Dream Slides Courtesy of Minlan Yu (USC) 1. Challenges in Flow-based Measurement 2 Controller Configure resources1Fetch statistics2(Re)Configure resources1.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Load Balancing Dan Priece. What is Load Balancing? Distributed computing with multiple resources Need some way to distribute workload Discreet from the.

On the Power of Off-line Data in Approximating Internet Distances Danny Raz Technion - Israel Institute.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

New Streaming Algorithms for Fast Detection of Superspreaders Shobha Venkataraman* Joint work with: Dawn Song*, Phillip Gibbons ¶,

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon (Technion, Israel) Joint work with Iddo Hanniel and Isaac Keslassy ( Technion ) 1.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.

TinyLFU: A Highly Efficient Cache Admission Policy

1 LD-Sketch: A Distributed Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams Qun Huang and Patrick P. C. Lee The Chinese.

Online Identification of Hierarchical Heavy Hitters Yin Zhang Joint work with Sumeet SinghSubhabrata Sen Nick DuffieldCarsten Lund.

Optimal Sampling Strategies for Multiscale Stochastic Processes Vinay Ribeiro Rolf Riedi, Rich Baraniuk (Rice University)

Distributed Denial-of-Service Attack Detection (and Mitigation?) Mukesh Agarwal, Aditya Akella, Ashwin Bharambe.

Tracking Malicious Regions of the IP Address Space Dynamically.

SCREAM: Sketch Resource Allocation for Software-defined Measurement Masoud Moshref, Minlan Yu, Ramesh Govindan, Amin Vahdat (CoNEXT’15)

REU 2009-Traffic Analysis of IP Networks Daniel S. Allen, Mentor: Dr. Rahul Tripathi Department of Computer Science & Engineering Data Streams Data streams.

Stride Scheduling: Deterministic Proportional-Share Resource Management Carl A. Waldspurger, William E. Weihl MIT Laboratory for Computer Science Presenter:

SketchVisor: Robust Network Measurement for Software Packet Processing

Denial of Service Mitigation with OpenFlow using SciPass

Internet Quarantine: Requirements for Containing Self-Propagating Code

CIS 700-5: The Design and Implementation of Cloud Networks

On-line Detection of Real Time Multimedia Traffic

University of Maryland College Park

Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.

Distributed Network Traffic Feature Extraction for a Real-time IDS

Data Streaming in Computer Networking

Defending Against DDoS

Augmented Sketch: Faster and More Accurate Stream Processing

A Framework for Automatic Resource and Accuracy Management in A Cloud Environment Smita Vijayakumar.

Query-Friendly Compression of Graph Streams

Defending Against DDoS

DDoS Attack Detection under SDN Context

Optimal Elephant Flow Detection Presented by: Gil Einziger,

Qun Huang, Patrick P. C. Lee, Yungang Bao

SCREAM: Sketch Resource Allocation for Software-defined Measurement

VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.

Programmable Data Plane

EE 122: Lecture 7 Ion Stoica September 18, 2001.

Memento: Making Sliding Windows Efficient for Heavy Hitters

DDoS Attack and Its Defense

Constant Time Updates in Hierarchical Heavy Hitters

By: Ran Ben Basat, Technion, Israel

Network-Wide Routing Oblivious Heavy Hitters

Heavy Hitters in Streams and Sliding Windows

By: Ran Ben Basat, Technion, Israel

Ran Ben Basat, Xiaoqi Chen, Gil Einziger, Ori Rottenstreich

Statistical based IDS background introduction

Lu Tang , Qun Huang, Patrick P. C. Lee

Toward Self-Driving Networks

PCAV: Evaluation of Parallel Coordinates Attack Visualization

Toward Self-Driving Networks

NitroSketch: Robust and General Sketch-based Monitoring in Software Switches Alan (Zaoxing) Liu Joint work with Ran Ben-Basat, Gil Einziger, Yaron Kassner,

2019/11/12 Efficient Measurement on Programmable Switches Using Probabilistic Recirculation Presenter：Hung-Yen Wang Authors：Ran Ben Basat, Xiaoqi Chen,

Presentation transcript:

Constant Time Updates in Hierarchical Heavy Hitters Ran Ben Basat, Technion Gil Einziger, Nokia Bell Labs Joint work with Erez Waisbard (Nokia Bell Labs) Roy Friedman (Technion) and Marcello Luzieli (UFGRS)

Distributed Denial of Service

Hierarchical Heavy Hitters (HHH) identify traffic clusters. They are at the core of numerous DDoS mitigation systems… DDoS attack (Aug. 2014) DREAM: dynamic resource allocation for software-defined Counting. ACM SIGCOMM 2014 LADS: Large-scale Automated DDoS Detection System. USENIX ATC 2006 Automatically Inferring Patterns of Resource Consumption in Network Traffic. ACM SIGCOMM 2003

DDoS Mitigation Can we block only the attacking devices? 181.7.20.1 181.7.20.2 … 181.7.21.1 181.7.21.2 Can we block only the attacking devices?

Hierarchical Heavy Hitters Hierarchical Heavy Hitters identifies frequent: Flows (heavy hitters) Source networks. Source-Destination pairs. 181.7.∗.∗ 181.7.20.∗ 220.7.16.∗ 220.7.16.9 181.7.20.13

State of the art “Count each prefix independently.” 181.7.20.6 Level0 Counting Level0 Counting Level1 Counting Level1 Counting Compute all prefixes 181.7.20.6 181.7.20.6 181.7.20.* Level2 Counting Level2 Counting 181.7.*.* 181.*.*.* Level3 Counting Level3 Counting *.*.*.* Level4 Counting Level4 Counting Mitzenmacher et al., Hierarchical Heavy Hitters with the Space Saving Algorithm, ALENEX 2012

Randomized HHH (Our work) “Select a prefix at random and count it” Level0 Counting Level1 Counting Level1 Counting Compute a random prefix 181.7.20.6 Level2 Counting 181.7.20.* Level3 Counting Level4 Counting

Compute a random prefix Additional Speedup Level0 Counting Level1 Counting Level1 Counting With probability 90% Compute a random prefix Level2 Counting 181.7.20.* 188.67.7.1 181.7.20.2 92.67.7.81 188.3.12.3 181.7.20.3 181.7.20.6 92.67.7.81 181.7.20.3 181.7.20.2 181.7.20.6 188.67.7.1 188.3.12.3 Level3 Counting Level4 Counting Ignore packet

We did the math Accuracy and convergence guarantees . After enough packets there are: No false negatives. No counting errors. Only a few false positives.

How much traffic is needed for convergence? “Accuracy improves with the number of packets” 128M packets 128M packets Counting Errors False Negatives 32M packets 32M packets One prefix packet One prefix per 10 packets

Comparison with other HHH algorithms “Accuracy improves with the number of packets” One prefix per packet One prefix per 10 packets Mitzenmacher et al. Cormode et al., Finding hierarchical heavy hitters in streaming data, TKDD 2008

Comparison with other HHH algorithms Up to X62 speedup! One update per packet One update per 10 packets Mitzenmacher et al. Cormode et al., Finding hierarchical heavy hitters in streaming data, TKDD 2008

Open vSwitch Implementation Server A: Traffic Generator We send min-sized packets with headers from Internet traces. Server B: DPDK enabled Open vSwitch Performs HHH Counting in data plane Server A: Traffic generator Serve B: Open vSwitch Traffic Generator Open vSwitch

Comparing Implementation Overhead Highlights: Only -4% overheads for HHH in the OVS data plane! +250% throughput improvement compared to previous work. One prefix per packet One prefix per 10 packets OVS Mitzenmacher et al.

Takeaways Real time hierarchical heavy hitters measurement in networking devices. Provable accuracy guarantees. Open source code: https://github.com/ranbenbasat/RHHH How to detect the maximal-prefix networks?

Any Questions