Presentation is loading. Please wait.

Presentation is loading. Please wait.

RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.

Published byDamian Tyler Modified over 9 years ago

Similar presentations

Presentation on theme: "RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao."— Presentation transcript:

1 RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao

2 Internet A plethora of Internet applications  Objectives  Re-provision networks  Detect undesirable behaviors of applications  Prepare network better against major application trends 2) Measure/Monitor 1) Emergence of new applications 3) Characterization

3 Monitoring applications at an edge  Goal: Monitoring application behavior  Identify number of flows  Identify number of packets  Current Solution: Sampled NetFlow  Supported by most modern routers  Key limitation: Application session structure gets distorted  Small # of flows per application session  Small # of packets per application session Enterprise Network Edge Router Internet Sampled NetFlow

4 Preserving application structure in flow measurements  Benefit 1: Enables continuous monitoring of applications  Better understanding about communication patterns  Better understanding of characteristics (# of flows, packets)  Benefit 2: Application classification becomes easier  Statistical machine learning techniques: SVM, C4.5, etc.  Social behavior-based classifier: BLINC  Benefit 3: Detecting undesirable traffic patterns of an application

5 Contributions  Introduce the notion of related sampling  Flows belonging to the same application session are sampled with higher probability  Propose RelSamp architecture for realizing related sampling  Uses three stages of sampling to preserve application structure  Show efficacy in preserving application structure  Captures more number of flows per application session  Significant increase of accuracy in application classification

6 Related sampling App2 App1App3 Original application structure Sampled NetFlow Related sampling Key idea: Sample more flows from fewer application sessions

7 Realizing related sampling  Question 1: How to sample an application session ?  Question 2: How to sample packets within an application session ?

8 Defining application session  A sequence of packets from an application on a given host with inter-arrival time ≤ τ seconds  Packets may belong to different flows to different destinations  Example 1: BitTorrent connections to several destinations within a short span of time constitute an application session  Example 2: Web connections from a browser several seconds apart constitute different application sessions

9 Sampling an application session  One possible approach: Similar to Sampled NetFlow  Sample packets with some probability  Create an application session record if no record exists  Update the application session record  Problem: Hard to do in an online fashion  No application session identifier (like flow key)  Need to know all flows that constitute an application session  DPI-based techniques are both difficult and incomplete

10 Our approach: sampling hosts  Observation: Host is a super-set of an application session  Sample more flows from the same host  Flows originating at a same host closely in time typically belong to few application sessions  About 80% hosts run fewer than 2 applications in our study  More details in the paper

11 RelSamp design  Three-stage sampling process consisting of host, flow, and packet selection stages  Host stage: hash-based sampling  No state maintained on a per-application basis  Many application sessions for a given host are possibly sampled  Change hash function periodically to track different hosts  Flow and packet stages: random packet sampling  Controls fraction of flows sampled in an application session and packets sampled in a flow  Post processing: Can separate flow records into application sessions using port-based/statistical classifiers

12 RelSamp architecture Host-level bias stage Flow-level bias stage Pkt-level bias stage 1 1 Copy PhPh Selection range H(SrcIP) Hash space P h = selection range / hash space PfPf if ( random no. ≤ P f && no flow record) create a flow record PpPp if ( random no. ≤ P p && flow record) update the flow record 1 Tunable parameters 2 2 Flow Memory

13 Exploring parametric space  Router sampling budget P e = f(P h, P f, P p )  Trade-off between accuracy of flow statistics and # flows/application session  Parameters can be tuned depending on  Objective  Network environment  Examples of tuning parameters by objective  Application classification: low P h, high P f, low P p  Application characterization: lower P h, high P f, high P p  Flow statistics of all flows: P h = P f = P p = P e

14 Evaluation goals  Application characterization  Question 1: Is RelSamp effective for sampling more # of flows in an application session?  Question 2: Can RelSamp estimate statistics of an application session?  Application classification  Questions 3: Is sampling more # flows in an application session beneficial for application classification?

15 Experimental setup

16 Flows per application session #captured flows/#total flows in an app session CDF More # of flows per app session

17 Accuracy of BLINC classifier Sampling rate Accuracy (%) Note: classification results on flows using non-standard port ~ 50% increase

18 Related work  Flow Sampling [ToN ’06]  Samples flows once flow record is created  Flow Slices [IMC ’05]  Focuses on controlling router resources (CPU and memory)  cSamp [NSDI ’08]  Supports sampling of all traffic by coordinating various vantage points in a network  FlexSample [IMC ’08]  Support monitoring of traffic subpopulations, but needs to maintain extra states for approximate checking of predicates

19 Summary  Introduced the notion of related sampling  Samples more number of related flows in the same application session with higher probability  Proposed RelSamp architecture  Preserve application structure in sampled flow records  Effective to preserving application session structure  5-10x more flows per application session compared to Sampled NetFlow  Up to 50% higher classification accuracy than Sampled NetFlow

20 Thank you! Questions?

21 Evaluation method of classification techniques DPI-based Classifier RelSamp Sampled NetFlow Flow Sampling Ground Truth Flow Record1 Flow Record2 Flow Record3 Classification Algorithm (e.g., BLINC, SVM, C4.5) Packet Trace Report Tstat

22 Comparison with other solutions using BLINC Sampling rate # of accurately classified flows Note: classification results on flows using non-standard port

Download ppt "RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao."

Similar presentations

1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,

1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.

Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.
Enabling Flow-level Latency Measurements across Routers in Data Centers Parmjeet Singh, Myungjin Lee Sagar Kumar, Ramana Rao Kompella.

Enabling Flow-level Latency Measurements across Routers in Data Centers Parmjeet Singh, Myungjin Lee Sagar Kumar, Ramana Rao Kompella.
1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)

1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)
Yoshiharu Ishikawa (Nagoya University) Yoji Machida (University of Tsukuba) Hiroyuki Kitagawa (University of Tsukuba) A Dynamic Mobility Histogram Construction.

Yoshiharu Ishikawa (Nagoya University) Yoji Machida (University of Tsukuba) Hiroyuki Kitagawa (University of Tsukuba) A Dynamic Mobility Histogram Construction.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
IntroductionAQP FamiliesComparisonNew IdeasConclusions Adaptive Query Processing in the Looking Glass Shivnath Babu (Stanford Univ.) Pedro Bizarro (Univ.

IntroductionAQP FamiliesComparisonNew IdeasConclusions Adaptive Query Processing in the Looking Glass Shivnath Babu (Stanford Univ.) Pedro Bizarro (Univ.
1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.

1 (Un)Trustworthy Wireless: What your wireless traffic says about you… Jeff Pang with Ben Greenstein, Ramki Gummadi, Tadayoshi Kohno, David Wetherall (UW/Intel.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Watchdog Confident Event Detection in Heterogeneous Sensor Networks Matthew Keally 1, Gang Zhou 1, Guoliang Xing 2 1 College of William and Mary, 2 Michigan.

Watchdog Confident Event Detection in Heterogeneous Sensor Networks Matthew Keally 1, Gang Zhou 1, Guoliang Xing 2 1 College of William and Mary, 2 Michigan.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.

PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.

Similar presentations

Ads by Google