New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.

Slides:



Advertisements
Similar presentations
EE384Y: Packet Switch Architectures
Advertisements

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
1 Concurrency: Deadlock and Starvation Chapter 6.
Greening Backbone Networks Shutting Off Cables in Bundled Links Will Fisher, Martin Suchara, and Jennifer Rexford Princeton University.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
1 On the Long-Run Behavior of Equation-Based Rate Control Milan Vojnović and Jean-Yves Le Boudec ACM SIGCOMM 2002, Pittsburgh, PA, August 19-23, 2002.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
STATISTICS HYPOTHESES TEST (III) Nonparametric Goodness-of-fit (GOF) tests Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering.
STATISTICS POINT ESTIMATION Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.
OSPF 1.
1 OpenFlow + : Extension for OpenFlow and its Implementation Hongyu Hu, Jun Bi, Tao Feng, You Wang, Pingping Lin Tsinghua University
Security Issues In Mobile IP
Doc.: IEEE /037r1 Submission March 2001 Khaled Turki et. al,Texas InstrumentsSlide 1 Simulation Results for p-DCF, v-DCF and Legacy DCF Khaled.
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
1 Hyades Command Routing Message flow and data translation.
Improvement of TCP Packet Reassembly in Libnids
New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions
Chapter 7 Sampling and Sampling Distributions
Communicating over the Network
1 The Impact of Buy-Down on Sell Up, Unconstraining, and Spiral-Down Edward Kambour, Senior Scientist E. Andrew Boyd, SVP and Senior Scientist Joseph Tama,
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
1 EE 122: Networks Performance & Modeling Ion Stoica TAs: Junda Liu, DK Moon, David Zats (Materials with thanks.
Spoofing State Estimation
Microprocessor Architecture Pipelined Architecture
ABC Technology Project
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Distance Vector Routing Protocols Routing Protocols and Concepts –
5-1 Chapter 5 Theory & Problems of Probability & Statistics Murray R. Spiegel Sampling Theory.
Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
1 Undirected Breadth First Search F A BCG DE H 2 F A BCG DE H Queue: A get Undiscovered Fringe Finished Active 0 distance from A visit(A)
2 |SharePoint Saturday New York City
IP Multicast Information management 2 Groep T Leuven – Information department 2/14 Agenda •Why IP Multicast ? •Multicast fundamentals •Intradomain.
VOORBLAD.
Chapter 20 Network Layer: Internet Protocol
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Chapter 6 File Systems 6.1 Files 6.2 Directories
ICmyNet.Flow Network Traffic Analysis System If You Want to See Your Net
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I IP ADDRESSING AND SUBNETS Derived From CCNA Network Fundamentals.
© 2012 National Heart Foundation of Australia. Slide 2.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 2 Networking Fundamentals.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.
Executional Architecture
25 seconds left…...
Equal or Not. Equal or Not
Slippery Slope
Putting Statistics to Work
Januar MDMDFSSMDMDFSSS
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Intracellular Compartments and Transport
PSSA Preparation.
Immunobiology: The Immune System in Health & Disease Sixth Edition
Essential Cell Biology
1 McGill University Department of Civil Engineering and Applied Mechanics Montreal, Quebec, Canada.
New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Presentation transcript:

New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba University

Chiba University 2 Objectives of traffic measurements Short-term monitoring. Detecting high volume traffic patterns (denial of service attacks). Detecting unexpected or illegal packets. Investigating of origins. Long-term traffic engineering. Rerouting traffic. Upgrading selected links.

Chiba University 3 Per-flow-base traffic measurement (1) Just counting the number of packets or bytes is not sufficient; per-flow-base traffic measurement is necessary. What is a flow? Informally, a set of packets consisting logical communication between application processes running on different hosts. Flow-level information could tell us who is now using the Internet.

Chiba University 4 Per-flow-base traffic measurement (2) Flow 1 Flow 2 Meaning of a flow.

Chiba University 5 Per-flow-base traffic measurement (3) How we could distinguish flows. Investigating headers of packets. Classifying packets based on IP addresses, port numbers, and protocol ID. versionHLTOSTotal Length IdentificationFlagsFragment Offset TTLProtocol-IDHeader Checksum Source Address Destination Address Source PortDestination Port Sequence Number Acknowledgement Number IP Header TCP Header

Chiba University Per-flow-base traffic measurement (4) Flow-measurement procedure. A Router maintains flow cache containing a flow record. When a packet is seen, a router updates counters of the corresponding entry in the flow cache Flow 1: Flow 2: # of packets Flow 3: # of bytes Flow Cache Flow 1 packetFlow 2 packetFlow 3 packet 4500

Chiba University 7 Lack of scalability Due to the rapid increase of the todays line speed, the number of concurrent flows are increasing yearly. Updating per-flow counter on a per-packet basis is already impossible with todays line speed. The gap between DRAM speeds and link speeds is increasing. Problems of flow measurements

Chiba University 8 Packet sampling Updating a flow cache only for sampled packets. Elephant flows would be detected even under the packet sampling. Although many tiny (and unimportant) flows would be missed under the packet sampling, it does not matter in terms of network management. Ciscos Sampled NetFlow. How to sample packets?

Chiba University 9 Fixed rate sampling Definition Choosing sampled packets at a fixed rate For example, taking one in every N packets. Ciscos Sampled NetFlow uses the fixed rate sampling. Sampling PacketsNo Sampling Packets 0 t N = 5

Chiba University 10 Shortcomings of the fixed rate sampling The size of memory holding the flow cache strongly depends on the traffic load. When DoS attacks are in progress, the memory would be rapidly consumed even if the sampling rate is low. However, low sampling rate would yield large error in traffic measurement under the normal load. Its a hard decision for network operators to set the static sampling rate.

Chiba University 11 Fixed period sampling Definition Choosing at most one packet to sample in every fixed-length period (called sampling window) For example, taking one in every t w second. Our solution. 0 twtw 2 t w 3 t w 4 t w Sampling Window Sampling PacketsNon-sampled Packets

Chiba University 12 Properties of fixed period sampling The number of samplings during a second is bounded by 1/t w. The number of entries in the flow cache is also bounded. Sampling interval (t w ) is easily determined based on the available memory or CPU for flow measurements.

Chiba University 13 Number of flow entrees Time [s] Number of Entries Indianapolis-Kansas City Time [s] Number of Entries U.S.-Japan link Fixed period samplingFixed rate sampling N=1000, t w =10ms

Chiba University 14 Time [s] Number of Sampled Packets Time [s] Trace 1Trace 2 Number of sampled packets Fixed period samplingFixed rate sampling N=1000, t w =10ms

Chiba University 15 Second Packet Sampling (1) An arbitrary packet can be chosen to sample during each sampling window. Which packets to be sampled? The simplest (and the most natural) rule: the first packet sampling. Intuitively the first packet sampling rule seems to work well, but it is not true. We apply the second packet sampling.

Chiba University 16 First packet sampling and second packet sampling First packet sampling Second packet sampling 0 twtw 2 t w 3 t w 4 t w Sampling PacketsNon-sampled Packets 0 twtw 2 t w 3 t w 4 t w Sampling PacketsNon-sampled Packets

Chiba University 17 Second Packet Sampling (2) For example Flow 1: packets arrive periodically Flow 2: packets arrive according to a Poisson process We theoretically found that Under the first packet sampling rule, 63.2% of sampled packets are of flow 1. (strongly biased) Under the second packet sampling rule, 49.7% of sampled packets are of flow 1. (almost unbiased)

Chiba University 18 Flow level traffic estimation Sampling inevitably misses some information. Some inference techniques are required to know the statistics of flow level traffic from the sampled packets. Here, we focus on the flow rate estimation.

Chiba University 19 Flow rate estimation (1) Flow rate Informally, the rate at which a flow sends data. Formally, the ratio of the total bytes transferred to the flow duration. Flow rate is an index for identifying vital flows, which often have significant impact on network performance. Flow rate can be estimated from sampled packet streams.

Chiba University 20 Flow rate estimation (2) Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Real trace on a link between Indianapolis-Kansas City Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] t w =10ms (0.15% packets were sampled) t w =1ms (1.5% packets were sampled)

Chiba University 21 Flow rate estimation (3) Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Real trace on a U.S. – Japan link t w =10ms (1.5% packets were sampled) t w =1ms (13.4% packets were sampled) Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps]

Chiba University 22 Conclusion Sampling techniques are indispensable to todays traffic measurement in the Internet. Fixed period sampling could bypass problems of the existing sampling technique (fixed rate sampling). Fixed period sampling should be used together with the second packet sampling. Flow rate can be estimated well with the fixed period sampling.

Chiba University 23 Thank you.

Chiba University 24 Flow rate estimation under first packet sampling N=1000, t w =10ms Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Indianapolis-Kansas U.S.-Japan link

Chiba University 25 Bayesian Estimates (2) t w =1ms Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Bayesian Estimator Naive Estimator

Chiba University 26 Bayesian Estimates (1) Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Estimated Flow Rate [Mbps] Actual Flow Rate [Mbps] Bayesian Estimator Naive Estimator t w =10ms

Chiba University 27 Objectives of traffic measurements (2) QoS monitoring. Measurement of QoS properties. Validating service-level agreement. Usage-based accounting. Input to charge or billing.

Chiba University 28 Shortcomings of the fixed rate sampling Is there any sampling strategy which work even under massive DoS attacks? Traffic Time [s]

Chiba University 29 Existing solutions to the fixed rate sampling Sampling rate adaptation First, the sampling rate is initialized to the maximum rate, at which the processor can operate. Then, the sampling rate is dynamically adjusted based on the amount of consumed memory. Adaptive NetFlow. We propose another solution.

Chiba University 30 Fixed period sampling (2) Timeout transaction Under the sampling measurements, one could not exactly know the beginning and end of flows. (SYN or FIN packets may not be sampled.) Thus, flow entries that have not been seen during last N samplings are deleted from the flow cache. Due to timeout transaction, the flow cache keeps only flows, whose packets have been detected at least once during last N samplings.

Chiba University 31 Simulation experiments The accuracy of the flow-rate estimation was investigated using real traffic data. Two real traces (traffic data) were used. Trace1: Traffic data measured by PMA Project on a backbone link between Indianapolis - Kansas City. Trace 2: Traffic data measured by WIDE Project on a U.S. and Japan link published.

Chiba University 32 Flow rate estimation (2) Naïve estimation. Estimation based on the sampling frequency. Bayesian estimation. If we know the probability density function of the flow rate as prior information, we could apply Bayesian estimator to improve the estimation accuracy.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.