Presentation is loading. Please wait.

Presentation is loading. Please wait.

A flow aware packet sampling mechanism for high speed links

Published bySonja van der Linden Modified over 5 years ago

Similar presentations

Presentation on theme: "A flow aware packet sampling mechanism for high speed links"— Presentation transcript:

1 A flow aware packet sampling mechanism for high speed links
Marco Canini DIST University of Genoa Damien Fay Computer Laboratory University of Cambridge Andrew W. Moore Computer Laboratory University of Cambridge Raffaele Bolla DIST University of Genoa Work done while visiting the Cambridge University Computer Laboratory

2 Goal Enable for inline, real-time, application-centric traffic classification Based upon a fixed number of packets at the start of all flows Permit implementation at 10+ Gbit/s

3 Motivation Studies* show that start of flow information allows for accurate identification of traffic Traditional packet sampling and NetFlow don’t provide required information Heavy-tailed nature of Internet traffic allows discarding of significant amount of data without processing * For example: [1] W. Li and A. W. Moore. A Machine Learning Approach for Efficient Traffic Classication. In Proceedings of the IEEE MASCOTS, October 2007. [2] L. Bernaille, R. Teixeira, and K. Salamatian. Early Application Identication. In Proc. of ACM CoNEXT, December 2006.

4 Method Focus upon the sampling of a fixed number of packets at the start of all flows The scheme consists of two levels Per-packet level Within a time window of length W, an algorithm based on Bloom filters identifies and samples the first N packets from each flow that occur in that window Per-window level The memory allocation mechanism finds the parameters required in the sampling scheme

5 Bloom filter refresher
Simple space-efficient probabilistic data structure for representing a set of elements Supports the insert() and query() operations False positives are possible False negatives are not possible Implemented with an array of m bits and uses k hash functions to map elements to [0,…,m-1]

6 Per-packet level Packet N+1 Packet N Packet 1 Packet 2 discard …
Flow Id (IP tuple) Id1 true true true query() query() query() false false false insert() insert() insert() Id1 Id1 sample

7 Per-packet level Packet 1 Packet N discard Id2 … Flow Id (IP tuple)
true true true query() query() query() false false insert() insert() Id2 sample Packet 2 Packet N-1

8 False positives False positives introduce sampling errors
Packets that should have been sampled get discarded Discarded are only ever at the end Reduce false positives by Resetting the filters periodically (at the end of each time window) Optimize the memory based upon the traffic

9 Theory 1 After n elements have been inserted, the probability that a specific bit is still 0 is The probability of a false positive is approximated with that is minimized for In this application we are interested in the number of false positives that occur as the Bloom filter is being filled. The expected number of false positives is where n is the expected number of elements that will be inserted within the current window And considering a bank of N Bloom filters

10 Theory 2 : Per-window level
Aim to divide a block of memory M into N different portions optimally The allocation of mj is given by a system of linear equations However the number of elements that will be inserted in the filters, nj, are unknown and have to be estimated (in our case using an AR model)

11 Theory 3 : Window length Given an acceptable level of false positives the appropriate value of W can be estimated by use of a search algorithm as the number of false positives is a function of the window size

12 Theory Summary Memory limits number of samples and size of Bloom filters False positive rate allows near-ideal sizing of Bloom filters (for a given amount of memory) False positive rate is estimated via AR Window length sets rate at which filters are reset

13 Results Software implementation
12 hours trace from the edge of a research institute connected via a full-duplex 1 Gbit/s link

14 Results: false positives

15 Results: sampled packets

16 Results: sampled bytes

17 Sampled packets, varying M

18 Sampled bytes, varying M

19 Effects of false positives
M Affected flows Unsampled packets Unsampled bytes 512KB 5529 (0.0021%) (0.0221%) (0.0323%) 1024KB 4863 (0.0018%) 58007 (0.0024%) (0.0037%) 1576KB 4274 (0.0016%) 15830 (0.0006%) (0.0010%) 2048KB 4237 (0.0016%) 6086 (0.0003%) (0.0004%)

20 Sampling plus flow classifier
We used a pattern matching flow classifier derived from open source tool l7-filter Test data contains 2,642,841 flows With sampling (N = 10, W = 120, M = 512 KB) 2,636,549 flows are reported 6,292 (0.0024%) unreported flows 6,021 (0.0023%) flows had classifier error Total error is 12,323 (0.0047%) flows

21 Future Work FPGA based hardware implementation Flow sampling works
Focus shifted to improving classification (identification) of applications

Download ppt "A flow aware packet sampling mechanism for high speed links"

Similar presentations

Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.

Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.
Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.

Author : Xinming Chen,Kailin Ge,Zhen Chen and Jun Li Publisher : ANCS, 2011 Presenter : Tsung-Lin Hsieh Date : 2011/12/14 1.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan.

Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.

Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.
Paging Hardware With TLB

Paging Hardware With TLB
Indian Statistical Institute Kolkata

Indian Statistical Institute Kolkata
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
ClassBench: A Packet Classification Benchmark

ClassBench: A Packet Classification Benchmark
Router Architecture : Building high-performance routers Ian Pratt

Router Architecture : Building high-performance routers Ian Pratt
Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.

Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Trajectory Sampling for Direct Traffic Observation Matthias Grossglauser joint work with Nick Duffield AT&T Labs – Research.

Trajectory Sampling for Direct Traffic Observation Matthias Grossglauser joint work with Nick Duffield AT&T Labs – Research.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Look-up problem IP address did we see the IP address before?

Look-up problem IP address did we see the IP address before?
Payload Attribution via Hierarchical Bloom Filters

Payload Attribution via Hierarchical Bloom Filters
1Bloom Filters Lookup questions: Does item “ x ” exist in a set or multiset? Data set may be very big or expensive to access. Filter lookup questions with.

1Bloom Filters Lookup questions: Does item “ x ” exist in a set or multiset? Data set may be very big or expensive to access. Filter lookup questions with.

Similar presentations

Ads by Google