Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.

Slides:



Advertisements
Similar presentations
Balaji Prabhakar Active queue management and bandwidth partitioning algorithms Balaji Prabhakar Departments of EE and CS Stanford University
Advertisements

An Optimal Algorithm for the Distinct Elements Problem
New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.
Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.
New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)
Author: Chengchen, Bin Liu Publisher: International Conference on Computational Science and Engineering Presenter: Yun-Yan Chang Date: 2012/04/18 1.
TCP Probe: A TCP with Built-in Path Capacity Estimation Anders Persson, Cesar Marcondes, Ling-Jyh Chen, Li Lao, M. Y. Sanadidi, Mario Gerla Computer Science.
RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.
Florin Dinu T. S. Eugene Ng Rice University Inferring a Network Congestion Map with Traffic Overhead 0 zero.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Spring 2006CS 685 Network Algorithmics1 Principles in Practice CS 685 Network Algorithmics Spring 2006.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
Analysis of a Statistics Counter Architecture Devavrat Shah, Sundar Iyer, Balaji Prabhakar & Nick McKeown (devavrat, sundaes, balaji,
Beyond Bloom Filters: From Approximate Membership Checks to Approximate State Machines By F. Bonomi et al. Presented by Kenny Cheng, Tonny Mak Yui Kuen.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Nick McKeown 1 Memory for High Performance Internet Routers Micron February 12 th 2003 Nick McKeown Professor of Electrical Engineering and Computer Science,
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.
Attig 1 Automatically Inferring Patterns of Resource Consumption in Network Traffic In Proceedings of SIGCOMM 2003 Reviewed By Michael Attig
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Anomaly Detection Studies in the IP Backbone Tao Ye Sprint Burlingame, CA
Automated Worm Fingerprinting
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
New Streaming Algorithms for Fast Detection of Superspreaders Shobha Venkataraman* Joint work with: Dawn Song*, Phillip Gibbons ¶,
CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon (Technion, Israel) Joint work with Iddo Hanniel and Isaac Keslassy ( Technion ) 1.
CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.
Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Winter 2006EE384x1 EE384x: Packet Switch Architectures I Parallel Packet Buffers Nick McKeown Professor of Electrical Engineering and Computer Science,
Queueing and Active Queue Management Aditya Akella 02/26/2007.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
Nick McKeown1 Building Fast Packet Buffers From Slow Memory CIS Roundtable May 2002 Nick McKeown Professor of Electrical Engineering and Computer Science,
Open-Eye Georgios Androulidakis National Technical University of Athens.
1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University
AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego.
D 陳怡安 R 解巽評 R 高榮泰 IEEE/ACM TRANSACTIONS ON NETWORKING OCTOBER 2006 Cristian Estan, George Varghese, Member, IEEE, and Michael Fisk.
Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo!
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.
On-Chip Logic Minimization Roman Lysecky & Frank Vahid* Department of Computer Science and Engineering University of California, Riverside *Also with the.
REU 2009-Traffic Analysis of IP Networks Daniel S. Allen, Mentor: Dr. Rahul Tripathi Department of Computer Science & Engineering Data Streams Data streams.
A Resource-minimalist Flow Size Histogram Estimator
Data Streaming in Computer Networking
Computer Networks Bhushan Trivedi, Director, MCA Programme, at the GLS Institute of Computer Technology, Ahmadabad.
Automated Worm Fingerprinting
A Small and Fast IP Forwarding Table Using Hashing
Automated Worm Fingerprinting
Heavy Hitters in Streams and Sliding Windows
Lu Tang , Qun Huang, Patrick P. C. Lee
Author: Ramana Rao Kompella, Kirill Levchenko, Alex C
Presentation transcript:

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian Estan, George Varghese, Mike Fisk Computer Science and Engineering Department, University of California, San Diego

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Why count flows? Detect port/IP scans Identify DoS attacks Estimate spreading rate of a worm Packet scheduling Dave Plonkas FlowScan

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Existing flow counting solutions Server NetFlow data Analysis Traffic reports Network Operations Center Router Fast link Memory Network Memory size & bandwidth Networkbandwidth

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Motivating question Can we count flows at line speeds at the router? –Wrong solution – counters –Naïve solution – use hash tables (like NetFlow) –Our approach – use bitmaps

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting algorithms A family of algorithms that can be used as building blocks in various systems Algorithms can be adapted to application Low memory and per packet processing Generalize flows to distinct header patterns –Count flows or source addresses to detect attack –Count destination address+port pairs to detect scan

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(green)= Set bits in the bitmap using hash of the flow ID of incoming packets

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(blue)= Different flows have different hash values

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(green)= Packets from the same flow always hash to the same bit

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(violet)= Collisions OK, estimates compensate for them

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(orange)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(pink)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap HASH(yellow)= As the bitmap fills up, estimates get inaccurate

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap Solution: use more bits HASH(green)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – direct bitmap Solution: use more bits Problem: memory scales with the number of flows HASH(blue)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – virtual bitmap Solution: a) store only a portion of the bitmap b) multiply estimate by scaling factor

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – virtual bitmap HASH(pink)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – virtual bitmap HASH(yellow)= Problem: estimate inaccurate when few flows active

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multiple bmps Solution: use many bitmaps, each accurate for a different range

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multiple bmps HASH(pink)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multiple bmps HASH(yellow)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multiple bmps Use this bitmap to estimate number of flows

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multiple bmps Use this bitmap to estimate number of flows

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multires. bmp Problem: must update up to three bitmaps per packet Solution: combine bitmaps into one OR

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 HASH(pink)= Bitmap counting – multires. bmp

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting – multires. bmp HASH(yellow)=

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Basic estimates Direct bitmap Virtual bitmap

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Multiresolution bitmap estimate Find most accurate component Estimate number of flows hashing to it Apply scaling factor

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Relative error in estimates Direct bitmap Virtual bitmap Multiresolution bitmap

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Error of virtual bitmap Flow density (flows/bit) Average (relative) error

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Memory requirements Direct bitmap< N / ln (Nε 2 +1) Virtual bitmap1.5441/ ε 2 Multiresolution bitmap ln (Nε 2 ) / ε 2 +ct.

Bitmap algorithms for flow counting – Internet Measurement Conference, October million flows, error 1% Hash table*1.21 Gbytes Direct bitmap1.29 Mbytes Virtual bitmap*1.88 Kbytes Multiresolution bitmap10.33 Kbytes

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Triggered bitmap Need multiple instances of counting algorithm (e.g. port scan detection) Many instances count few flows Triggered bitmap –Allocate small direct bitmap to new sources –If number of bits set exceeds trigger value, allocate large multiresolution bitmap

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Related work Flajolet, Martin (1985) probabilistic counting –Memory use similar to multiresolution bitmap Whang et al (1990) introduce direct bitmap You, Chang (1996) use virtual bitmap Chauduri, Motwani, Narasayya (1998) –Counting flows without bias impossible from sampled data Duffield, Lund, Thorup (2002) –Accurate solutions based on counting TCP SYN flags

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Multires. bmp. vs. prob. counting Number of flows (log scale) Average (relative) error

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Scan detection memory usage Interval length Snort (naïve) Probabilistic counting Triggered bitmap 12 seconds1.94 M2.42 M0.37 M 600 seconds49.60 M22,34 M5.59 M

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Talk structure Per packet processing for bitmap algorithms Computing flow count estimates from bitmaps Variance analysis of estimates Derived algorithms Related work Measurements Conclusions

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 A family of counting algorithms SettingAlgorithmApplications General countingMultiresolution bmp.Track infections Narrow rangeVirtual bitmapTriggers (e.g. DoS) Small counts commonTriggered bitmapPort scans StationarityAdaptive bitmapMeasurement Add and deleteIncrement-decrementScheduling

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap counting algorithms A family of algorithms that can be used as building blocks in various systems Algorithms can be adapted to application Low memory and per packet processing –With 2Kbytes error around 1%

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 The end Bitmap algorithms will be available at: Any questions? Acknowledgements: Vern Paxson, David Moore, Philippe Flajolet, Marianne Durand, Alex Snoeren, K Claffy, Stefan Savage, Florin Baboescu, NIST,NSF

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Adaptive bitmap Virtual bitmap measures accurately number of flows if range known in advance Often number of flows does not change rapidly Measurement repeated Can use previous measurement to tune virtual bitmap Combine a large virtual bitmap with a small multiresolution bitmap used for tuning

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Adaptive bitmap accuracy Number of flows (log scale) Average (relative) error

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 With 2 kilobytes of memory With 2 kilobytes of memory Adaptive bitmap (min avg max) Probabilistic counting (min avg max) Trace1-4.4% 1.1% 4.7%-9.5% 2.8% 13.3% Trace2-1.9% 0.7% 2.0%-6.9% 2.8% 7.6% Trace3-1.8% 0.6% 1.8%2.4% 10.2% 17.7%

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Increment-decrement algorithms Active flow defined as flow with packets in queue Must support additions and deletions Replace bits of bitmap with counters –Increment when packet arrives –Decrement when packet leaves –Estimate number of flows based on zero counters

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.