D95725004 陳怡安 R96725019 解巽評 R96725023 高榮泰 IEEE/ACM TRANSACTIONS ON NETWORKING OCTOBER 2006 Cristian Estan, George Varghese, Member, IEEE, and Michael Fisk.

Slides:

Advertisements

Similar presentations

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.

Advertisements

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

3/13/2012Data Streams: Lecture 161 CS 410/510 Data Streams Lecture 16: Data-Stream Sampling: Basic Techniques and Results Kristin Tufte, David Maier.

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Restricted Slow-Start for TCP William Allcock 1,2, Sanjay Hegde 3 and Rajkumar Kettimuthu 1,2 1 Argonne National Laboratory 2 The University of Chicago.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.

Efficient Autoscaling in the Cloud using Predictive Models for Workload Forecasting Roy, N., A. Dubey, and A. Gokhale 4th IEEE International Conference.

Anomaly Based Intrusion Detection System

Presentation By: Daniel Mitchell, Brian Shaw, Steven Shidlovsky Paper By: Martin Heusse, Franck Rousseau, Gilles Berger-Sabbatel, Andrzej Duda 1 CS4516.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Dynamic Tuning of the IEEE Protocol to Achieve a Theoretical Throughput Limit Frederico Calì, Marco Conti, and Enrico Gregori IEEE/ACM TRANSACTIONS.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Ph.D. DefenceUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

1 Chapter 8 Local Area Networks - Internetworking.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

Ns Simulation Final presentation Stella Pantofel Igor Berman Michael Halperin

Gursharan Singh Tatla Transport Layer 16-May

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.

Attig 1 Automatically Inferring Patterns of Resource Consumption in Network Traffic In Proceedings of SIGCOMM 2003 Reviewed By Michael Attig

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.

Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Algorithms for Allocating Wavelength Converters in All-Optical Networks Authors: Goaxi Xiao and Yiu-Wing Leung Presented by: Douglas L. Potts CEG 790 Summer.

ACN: RED paper1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking, Vol.1, No. 4, (Aug.

ECE 526 – Network Processing Systems Design Packet Processing I: algorithms and data structures Chapter 5: D. E. Comer.

ENERGY-EFFICIENT FORWARDING STRATEGIES FOR GEOGRAPHIC ROUTING in LOSSY WIRELESS SENSOR NETWORKS Presented by Prasad D. Karnik.

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

March 23 & 28, Csci 2111: Data and File Structures Week 10, Lectures 1 & 2 Hashing.

March 23 & 28, Hashing. 2 What is Hashing? A Hash function is a function h(K) which transforms a key K into an address. Hashing is like indexing.

Vladimír Smotlacha CESNET High-speed Programmable Monitoring Adapter.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman.

Routing and Addressing

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo!

Big traffic data processing framework for intelligent monitoring and recording systems 學生 : 賴弘偉教授 : 許毅然作者 : Yingjie Xia a, JinlongChen a,b,n, XindaiLu.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Packet classification on Multiple Fields Authors: Pankaj Gupta and Nick McKcown Publisher: ACM 1999 Presenter: 楊皓中 Date: 2013/12/11.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo a, Jose G. Delgado-Frias Publisher: Journal of Systems.

1 IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo, Jose G. Delgado-Frias Publisher: Journal of Systems.

Author : Lynn Choi, Hyogon Kim, Sunil Kim, Moon Hae Kim Publisher/Conf : IEEE/ACM TRANSACTIONS ON NETWORKING Speaker : De yu Chen Data :

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Packet Classification Using Multi- Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: 2013 IEEE 37th Annual Computer Software.

Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.

Monitoring Persistently Congested Internet Links

A Resource-minimalist Flow Size Histogram Estimator

Data Streaming in Computer Networking

A Framework for Automatic Resource and Accuracy Management in A Cloud Environment Smita Vijayakumar.

Transport Layer Unit 5.

Smita Vijayakumar Qian Zhu Gagan Agrawal

A Small and Fast IP Forwarding Table Using Hashing

CS 6290 Many-core & Interconnect

Ch 17 - Binding Protocol Addresses

A flow aware packet sampling mechanism for high speed links

Lu Tang , Qun Huang, Patrick P. C. Lee

Presentation transcript:

D 陳怡安 R 解巽評 R 高榮泰 IEEE/ACM TRANSACTIONS ON NETWORKING OCTOBER 2006 Cristian Estan, George Varghese, Member, IEEE, and Michael Fisk 指導教授：林永松教授

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links1/64  Introduction  Related Work  Counting Algorithm & Analysis  Measurement Results  Conclusion

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links2/64  Introduction  Related Work  Counting Algorithm & Analysis  Measurement Results  Conclusion

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links3/64  This paper presents a family of bitmap algorithms that address the problem of counting the number of distinct header patterns (flows) seen on a high-speed link.  The authors’ new probabilistic algorithms use little memory and are fast.

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links4/64  Detect port/IP scans  Identify DoS attacks  Estimate spreading rate of a worm  Packet scheduling Counting is especially hard when processing must be done within a packet arrival time

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links5/64 Naïve solution – use hash tables (like NetFlow) Best known prior algorithm – probabilistic counting This paper approach – use bitmaps & probabilistic algorithm

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links6/64  General purpose-Multiresolution bitmap  Whole family of counting algorithms that further improve performance by taking advantage of particularities of the specific counting application.  Adaptive bitmap  Triggered bitmap

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links7/64  A flow is defined by an identifier given by the values of certain header fields.  Ex: define a flow by source and destination IP addresses  The problem we wish to solve is counting the number of distinct flow identifiers (flow IDs) seen in a specified measurement interval.

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links8/64  An intrusion detection system looking for port scans could count for each active source address the flows  Flows defined by destination IP and port and suspect any source IP that opens more than three flows in 12 s of scanning.

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links9/64  Cost of large memory  Power consumption Need solutions that: 1. Use small amount of memory 2. Have high accuracy

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links10/64  Introduction  Related Work  Counting Algorithm Family  Algorithm Analysis  Measurement Results  Conclusion

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links11/64  Flajolet, Martin (1985) probabilistic counting  Memory use similar to multiresolution bitmap  Whang et al (1990) introduce direct bitmap  You, Chang (1996) use virtual bitmap  Duffield, Lund, Thorup (2002)  Accurate solutions based on counting TCP SYN flags

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links12/64  Introduction  Related Work  Counting Algorithm & Analysis  Measurement Results  Conclusion

Active Flow Counting Algorithms  Direct Bitmap  Virtual Bitmap  Multiresolution Bitmap  Adaptive Bitmap  Triggered Bitmap

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links14/64 HASH(green)= Set bits in the bitmap using hash of the flow ID of incoming packets

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links15/64 HASH(blue)= Different flows have different hash values

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links16/64 HASH(green)= Packets from the same flow always hash to the same bit

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links17/64 HASH(violet)= Collisions OK, estimates compensate for them

Bitmap Algorithms for Counting Active Flows on High-Speed Links 18/64  b is the bitmap size  The probability that a flow hashes to a given bit: 1/b  n is the number of given flows, the probability of no flow hashes to a given bit is  Expected number of bits not set is:  The estimation for number of active flows is: Observation: The estimation goes BAD when z goes near 0!! (1)

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links19/64 increases, and standard deviation increases and Z decreases!!

Bitmap Algorithms for Counting Active Flows on High-Speed Links 20/64 Var(V n ) is easy to obtain! Using Taylor expansion and Var(V n ) to obtain

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links21/64 HASH(orange)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links22/64 HASH(pink)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links23/64 HASH(yellow)= As the flow number get far more than expected upper limit, estimates get inaccurate

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links24/64 Solution: use more bits HASH(green)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links25/64 Solution: use more bits Problem: memory scales with the number of flows HASH(blue)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links26/64 Solution: a) store only a portion of the bitmap b) calculate estimate by scaling factor

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links27/64 HASH(pink)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links28/64 HASH(yellow)=

Bitmap Algorithms for Counting Active Flows on High-Speed Links 29/64  Similar with what we done in direct bitmap  n: total active flow number; m: the number of active flow hash to the virtual bitmap  The probability distribution of m is binominal, and expected value is:  We can use (1) to estimate m and obtain n by dividing it by α 

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links30/64  Slight different from what we obtained via directed bitmap Problem: estimate inaccurate when few flows active

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links31/64 Solution: use many bitmaps, each accurate for a different range

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links32/64 HASH(pink)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links33/64 HASH(yellow)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links34/64 Use this bitmap to estimate number of flows

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links35/64 Use this bitmap to estimate number of flows

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links36/64 Problem: must update up to three bitmaps per packet Solution: combine bitmaps into one OR

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links37/64 HASH(pink)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links38/64 HASH(yellow)=

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links39/64  Select the suitable “Base Component” in which the coarsest component has no more than set max bits set  Add the bits in base component together and multipling with scaling factor Base Component

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links40/64 Find most accurate component Estimate number of flows hashing to it Apply scaling factor

Bitmap Algorithms for Counting Active Flows on High-Speed Links 41/64  Every Component could be the “Base Component”  If the error of some component is too large?  Change finer one as the “Base Component”! X

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links42/64

Bitmap Algorithms for Counting Active Flows on High-Speed Links 43/64 Direct bitmap Virtual bitmap Multiresolution bitmap

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links44/64  The accuracy of a well tuned virtual bitmap and with the wide range of multiresolution bitmaps!!  A small multiresolution bitmap for estimate the magnitude of active flows number and a large virtual bitmap count them precisely  The resolution of the virtual bitmap can be adjusted

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links45/64  Two Updates?  Replace r-adjacent component in mutiresolution bitmap for virtual bitmap  While the flow number is large, replace the components in high resolution.  While the flow number is small, replace the components in low resolution

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links46/64 When the flow number is small…Replace the components of high resolution with the virtual bitmap When the flow number is large…Replace the components of lower resolution with the virtual bitmap

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links47/64

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links48/64  As to port scan…..?????  A multiresolution bitmap for an active source??  This multiresolution bitmap has to be able to handle large number of flows  Most traffic is NOT port scan  An WASTE!!!

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links49/64  A small direct bitmap + a large multiresolution bitmap  Small direct bitmap counting the active flows from a given source  Once the number exceeds the threshold, a large multiresolution bitmap will be allocated for this source

Bitmap Algorithms for Counting Active Flows on High-Speed Links 50/64 N: the maximum flow number we plan to measure

Bitmap Algorithms for Counting Active Flows on High-Speed Links 51/64  Sweet spot!  ρ optimal :1.594, z/b: 20.3%

Bitmap Algorithms for Counting Active Flows on High-Speed Links 52/64  b, set max, c, k  b= f(k)/  2  set max =b(1-e -  max )  c = 2+log k (N/(  max b)) (N is the maximum flow number we want to measure)  f(k)/ln(k) is an indicator of memory usage

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links53/64  Introduction  Related Work  Counting Algorithm & Analysis  Measurement Results  Conclusion

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links54/64 Measurement  Packet traces data (IP headers over a link)  Measurement interval ： 5 s  Flows definition ： 5-tuple of source and destination IP addresses, ports, and protocol

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links55/64 Virtual Bitmap  Low density ： sampling error  High density ： collision error

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links56/64 Virtual Bitmap (cont.)  Comparison  Problem-specific counting method for a specific problem like threshold detection can significantly outperform a one-size-fits-all technique like probabilistic counting.

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links57/64 Multiresolution Bitmap  Configured for average error of 10%

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links58/64 Multiresolution Bitmap (cont.)  Configured for average error of 3%, 1%

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links59/64 Adaptive Bitmap  Comparison  Adaptive bitmap can achieve almost the same benefits of virtual bitmap when the number of flows does not vary dramatically. Overestimating Three times more accurate

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links60/64 Triggered Bitmap  Comparison  Our algorithm reported 84.6% of the sources with four connections, 98.1% of those with five, and all (100%)of the sources that had at least eight connections Five times less memory

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links61/64 Triggered Bitmap (cont.)  Trade-off between significantly less memory and possible missing port scanners.  However, the probability of a port scanner not being detected decreases exponentially with the number of connections it opens.  For example, the probability is 1.87% at five connections, 0.23% at six, 0.03% at seven, and so on.

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links62/64 Triggered Bitmap (cont.)  Port scans frequently touch not just a handful of addresses, but an entire block of contiguous addresses  Our algorithms reduce the memory usage by as much as an order of magnitude  Count more sources at a time  Detect stealthy slow scans ： counting sources with longer inter-arrival times

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links63/64  Introduction  Related Work  Counting Algorithm & Analysis  Measurement Results  Conclusion

2015/12/17Bitmap Algorithms for Counting Active Flows on High-Speed Links64/64 Conclusion  Solve the flow counting problem using extremely small amounts of memory and produce satisfying accuracy  Customizable counting algorithm for applications ：