Taming Internet Traffic Some notes on modeling the wild nature of OD flows Augustin Soule Kavé Salamatian Antonio Nucci Nina Taft Univ. Paris VI Sprintlabs Intel Berkeley

What’s next  Definition of the problem  Overview of the approach  Study of the modeling part  Study of the Tracking part

Network monitoring (1)  Network state results from  Traffic demand  OD matrix  Capacity offer  Routing matrix, link capacity, traffic engineering, etc…  Objective of the network operator  To drive the equilibrium point to the most beneficial  By managing the capacity offer  Traffic engineering is the art of managing capacity offer

Network monitoring (2)  Monitoring  Capacity offer  Pings, failure monitoring, SNMP reports  Traffic demand ?  Is not observable per se  At least in real time  Have to infer it indirectly  Traffic counts

Network monitoring (3)  Monitoring ?  Being able to separate  What is predicted  Expected, under control, normal, …  What is unpredicted  Unexpected, Out of range, abnormal, …  Occam razor view  Express what is predictable by a short model  Describe fully what is unpredictable  Interpretation view  Only what is unpredictable have to be given a sense  What is predictable give no information

Architecture of a network monitoring system

Overview of the solution  Model the normal behavior of traffic demand  At sufficient granularity level  Relevant granularity for operator ?  Compare observation with prediction made by model  Rise an alarm if a divergence is seen  Wow, I just rediscovered Kalman Filter!

What’s a traffic matrix?  Can define variety of matrices  Select timescale  Select node granularity: router, prefix, POP, etc.  Application wise ! City A City B City C City A City B City C origin destination 25 Mbps

Notation: Problem Formulation Link1 Link2 Link3. Link L = OD AB OD AC OD AD / routing matrix Y = A X Have linear system: YA X from SNMP link counts from IGP link weights issue: # links underconstrained system => infinite # of solutions

OD Traffic Dynamics (1)

OD traffic dynamics (2)  Temporal correlations  Diurnal, weekly, monthly, etc..  Spatial correlation  Same Origin Pop  Same destination PoP  Create a dynamic LTI model for OD flows capturing temporal and spatial dependences  X(t+1) = C*X(t)+W(t)  W(t) account for model unprecision

Traffic Model  State space model :  How to calibrate C, Q and R?  EM method  Find the value of C, Q and R such that the observations are most likely to be observed  Observations might be OD traffic itself or the link count  OD traffic is better, Sometimes no other choice   Good initial point are needed.  Use OD traffic first, link count next  Multi-linear Method  X(t+1) is expressed as a multi-linear relation of X(t)  Lead to a diagonal matrix Q

Raw data  Let’s suppose we have gathered over one day the full OD matrix  Sampled Aggregate NetFlow (Cisco) used on all routers inside Sprint’s European network.  Flow = 5-tuple src, port dst, proto)  Each flow is sampled every 250th packet.  Downloaded BGP tables and configuration files from all routers: Used to determine egress points within Sprint’s AS => yielding the FULL traffic matrix.  Three weeks of data from August  Many thanks to Anukool Lakhina to collect/process the raw data :)

Inside the model Impulse response of the filter At time t=1 OD 1 is set to 1 See the propagation of this impulse on all the other OD pairs  24 h Periodicity  Exponentially decreasing Sinusoid

Inside the model Radius : Amplitude of the eigenvalue Angle : Frequency of the eigenvalue Pole diagram  r

Inside the model Filtering the eigenvalues Filter out the over learning -Remove small timescale fluctuations -Remove Fast oscillations  Keep the White area

Kalman filtering  Filter out what is compatible with the model from what is incompatible  Do it by comparing what is predicted by the model with what is observed  Innovation process:  two steps  Prediction  Correction

Example of fitting

Monitoring information  Confidence interval can be made on innovation process  If then something out of prediction has happened  Raise an alarm !  Is every change a problem ?  Same approach for OD pairs  Ability to track changes on each OD  Might be useful for DDoS attack detection and management

Innovation on the link

Innovation on the OD Need to recalibrate the model For these OD pairs

Recalibration !  Need to find out the new model !  Several way  Do a netflow acquisition for all changing OD flows. Mix with previous OD flow. Recalibrate the model  Use traffic count for recalibrating the model using EM method with previous model as starting point  Develop a continuous time adaptive mechanism  Use LMS or RMS algorithm  Use a sliding windows

Example of fitting After recalibrations

Innovation After Recalibrations

L2-Norm over time

Contributions  New tracking approach for network monitoring  Using Time and Spatial correlation  OD flows model  Able to detect deviations from the model  Thanks to Kalman Filter  Really Fast and Scalable.  Whole process in less than 2 minutes for 14 days  Validated using real Traces.