New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

1 Optical network CERNET's experience and prospective Xing Li, Congxiao Bao

Router Internals CS 4251: Computer Networking II Nick Feamster Spring 2008.

Router Internals CS 4251: Computer Networking II Nick Feamster Fall 2008.

New Packet Sampling Technique for Robust Flow Measurements Shigeo Shioda Department of Architecture and Urban Science Graduate School of Engineering, Chiba.

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.

Traffic Dynamics at a Commercial Backbone POP Nina Taft Sprint ATL Co-authors: Supratik Bhattacharyya, Jorjeta Jetcheva, Christophe Diot.

An Efficient Flow Cache algorithm with Improved Fairness in Software-Defined Data Center Networks Bu Sung Lee 1, Renuga Kanagavelu2 and Khin Mi Mi Aung2.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.

ICmyNet.Flow Network Traffic Analysis System If You Want to See Your Net

RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Trafﬁc engineering – Identify large traffic aggregates, traffic changes.

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

Sampling and Flow Measurement Eric Purpus 5/18/04.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

NET-REPLAY: A NEW NETWORK PRIMITIVE Ashok Anand Aditya Akella University of Wisconsin, Madison.

George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.

1 Proposed Additional Use Cases for Congestion Exposure draft-mcdysan-conex-other-usecases-00.txt Dave McDysan.

Anomaly Detection Studies in the IP Backbone Tao Ye Sprint Burlingame, CA

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

Traffic Engineering for ISP Networks Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park, NJ

New Streaming Algorithms for Fast Detection of Superspreaders Shobha Venkataraman* Joint work with: Dawn Song*, Phillip Gibbons ¶,

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon (Technion, Israel) Joint work with Iddo Hanniel and Isaac Keslassy ( Technion ) 1.

NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.

Addressing Queuing Bottlenecks at High Speeds Sailesh Kumar Patrick Crowley Jonathan Turner.

Resource/Accuracy Tradeoffs in Software-Defined Measurement Masoud Moshref, Minlan Yu, Ramesh Govindan HotSDN’13.

1 LD-Sketch: A Distributed Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams Qun Huang and Patrick P. C. Lee The Chinese.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Is Sampled Data Sufficient for Anomaly Detection Ip Wing Chung Peter ( ) Ngan Sze Chung ( )

April 4th, 2002George Wai Wong1 Deriving IP Traffic Demands for an ISP Backbone Network Prepared for EECE565 – Data Communications.

Open-Eye Georgios Androulidakis National Technical University of Athens.

BARD / April BARD: Bayesian-Assisted Resource Discovery Fred Stann (USC/ISI) Joint Work With John Heidemann (USC/ISI) April 9, 2004.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

Cristian Estan, Garret Magin University of Wisconsin-Madison USENIX LISA, 17 December 2015 Interactive traffic analysis and visualization with Wisconsin.

PART3 Data collection methodology and NM paradigms 1.

D 陳怡安 R 解巽評 R 高榮泰 IEEE/ACM TRANSACTIONS ON NETWORKING OCTOBER 2006 Cristian Estan, George Varghese, Member, IEEE, and Michael Fisk.

Interconnect Networks Basics. Generic parallel/distributed system architecture On-chip interconnects (manycore processor) Off-chip interconnects (clusters.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Explicit Allocation of Best-Effort Service Goal: Allocate different rates to different users during congestion Can charge different prices to different.

Flow sampling in IPFIX: Status and suggestion for its support Maurizio Molina,

1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.

PATH DIVERSITY WITH FORWARD ERROR CORRECTION SYSTEM FOR PACKET SWITCHED NETWORKS Thinh Nguyen and Avideh Zakhor IEEE INFOCOM 2003.

By: Yaron Levy Supervisors: Dr. Shlomo Greenberg Mr. Hagai David.

Constant Time Updates in Hierarchical Heavy Hitters

Data Streaming in Computer Networking

Addressing: Router Design

Data collection methodology and NM paradigms

Optimal Elephant Flow Detection Presented by: Gil Einziger,

Offense by Ionut Trestian

PlanetFlow The PlanetLab Network Auditing Service Mark Huang

Constant Time Updates in Hierarchical Heavy Hitters

Performance of VoIP in a b wireless mesh network

Lu Tang , Qun Huang, Patrick P. C. Lee

PCAV: Evaluation of Parallel Coordinates Attack Visualization

Author: Ramana Rao Kompella, Kirill Levchenko, Alex C

Presentation transcript:

New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)

The Problem Measurement and monitoring of network traffic required for Internet backbones. Useful for short-term monitoring (e.g., DOS attacks), traffic engineering (e.g., rerouting), and accounting (e.g., usage based pricing) How can we do so without tracking millions of ants to track a few elephants?

State of the art – Cisco NetFlow Sample packets at high speeds; Per flow information based on samples; Aggregate (based on ASes, prefixes, ports) at the router; Problems: inaccurate (due to sampling and loss), memory-intensive, slow (needs DRAM).

Towards a NetFlow Alternative Small Percentage of flows (elephants) account for large percentage of traffic. Top 9% of flows account for 90% of AS pair traffic in backbones (Fang-Peterson). Can we directly track flows that send say over 1% of link bandwidth without keeping track of all flows?

How to identify large flows? Sample-Counting: uses sampling only to decide which flows to watch exhaustively. Multistage filter: uses multiple hash tables allowing large flows to be identified while only allowing a small number of small flows (false positives) to pass through filter. We introduce two new methods for this purpose:

Identify large flows by sampling

Multistage filters

Operation of Sampled NetFlow How accurate is Sampled NetFlow? 1 gigabyte/100 megabytes of data Sampling one in 100 packets Error1GB100MB 1%39.24%79.03% 3%1.07%41.48%

Operation of our algorithms Error1GB100MB 1%5.6E % 3%1.8E E-10 Error1GB100MB 1%0.08%49.69% 3%4.66E % Sampling 1/1000 Filter error: 0%

Comparison Sampled NetFlow Identify by sampling Multistage filters AccuracyMediumGood False neg.Few (high var.) Few (low var.) Never False pos.Few MemoryBigSmallVery small ComplexityLow Medium

High Speed Implementation? John Huber of MMC Networks did a design of a chip doing filter counting. 450,000 transistors, under 1 watt of power, runs at OC-192 rates, 32 nsec per packet Seems easily feasible to implement sample counting with similar complexity.

Potential Application: scalable threshold accounting Measure flows sending over x% of link bandwidth using sample/filter counting. Bill using flat fee + per byte charge for flows over x% Track aggregates directly to avoid evasion using several flows, each < x% Generalizes usage based (x = 0) and duration based (x = 100) pricing.

Conclusions Paradigm shift for measurement by concentrating only on heavy flows Two new techniques (sample and filter counting) with small memory footprints and provable performance. Techniques make threshold accounting feasible, generalizing usage and duration based pricing.